Security
The following scenarios show how to configure WLAN interfaces to
use different security modes. All examples will be done using the
wifi0 radio module and channel numer 36
to avoid waiting for the cac timer to expire. Note that an external
radius server will be required in enterprise scenarios and the
testing user with password password must be present in its database.
Open Security
Description
In this example, the wlan1 interface will be configured to
use no security.
Scenario
Warning
Note that the traffic will be visible to any attacker. Use OWE or OWE-Transition instead.
Step 1: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm none set interfaces wlan wlan1 type access-point ssid network_5GHz set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm none set interfaces wlan wlan1 type access-point ssid network_5GHz set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm none
Step 4: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.29 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.37 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.369/4.327/6.286/1.959 ms
Step 5: Run command configure at DUT0 and expect this output:
Step 6: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 7: Run command set interfaces bridge br0 at DUT0 and expect this output:
Step 8: Run command commit at DUT0 and expect this output:
OWE-Transition Mode
Description
In this example, the wlan1 interface will be configured to
use OWE (Opportunistic Wireless Encryption) security and an additional one,
wlan2, will also be configured with open security. The former network is
just a transition mechanism to tell WPA3-capable devices to use the OWE network
in case they connect to this one.
Scenario
Step 1: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point disable-broadcast-ssid set interfaces wlan wlan1 type access-point security akm owe transition wlan-ifc wlan2 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz set interfaces wlan wlan2 bridge-group bridge br0 set interfaces wlan wlan2 phy wifi0 set interfaces wlan wlan2 type access-point security akm none transition wlan-ifc wlan1 set interfaces wlan wlan2 type access-point ssid robotest_5ghz_owe set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Run command configure at DUT0 and expect this output:
Step 3: Run command set interfaces wlan wlan1 type access-point ssid network_5GHz_renamed at DUT0 and expect this output:
Step 4: Run command commit at DUT0 and expect this output:
.. note:
See **open security** and **owe security** examples for client side configurations
WPA-Personal Mode
Description
In this example, the wlan1 interface will be configured in WPA personal
mode, where security is ensured by means of pre-shared key secret-password.
The aes-ccmp and tkip ciphers will be used for unicast traffic.
Scenario
Warning
WPA-Personal is no longer considered secure. Use WPA/WPA2-Personal instead if legacy devices are present in your deployment.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX18nfuAGdJt5yGyTGARkLyEo2LqdUK6pfGI= set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX18nfuAGdJt5yGyTGARkLyEo2LqdUK6pfGI= set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm psk set interfaces wlan wlan0 type station network 1 security framework wpav1 set interfaces wlan wlan0 type station network 1 security passphrase secret-password
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=5.09 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.89 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.888/3.988/5.089/1.102 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1/ZJ6lmegJZwd486DBzb0A6FJ3Egv8pe+0= set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1+hRQMabMteNIqrqAiMhCI9v+B01BtkPaY= set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA/WPA2-Personal Mode
Description
In this example, the wlan1 interface will be configured in WPA/WPAv2 personal
mode, also known as WPAv2 Mixed mode. Here, security is ensured by means of pre-shared
key secret-password. The aes-ccmp and tkip ciphers will be used for unicast traffic.
Scenario
Warning
This mode originally intended to provide WPA2 security while supporting legacy WPA stations. Since stations can connect using WPA security, which is not considered safe, only use this mode if legacy devices are present in your deployment.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1/6z+AcvsHthaeKCiUznNqybQ4JcX+ad9g= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1/6z+AcvsHthaeKCiUznNqybQ4JcX+ad9g= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm psk set interfaces wlan wlan0 type station network 1 security framework wpav1 set interfaces wlan wlan0 type station network 1 security pairwise-ciphers tkip set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security passphrase secret-password
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.23 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.45 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.448/4.336/6.225/1.889 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1/LTCf4wD4X2y+4vXeC/xWzqTbIvzrVD3U= set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX192i33skgNeGkgmtFP7A8r9H4OPckGay94= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA3-Personal Only Mode
Description
In this example, the wlan1 interface will be configured in WPAv3 personal
mode, also known as SAE (Simultaneous Authentication of Equals), the state-of-the-art in
PSK mode, where the security is ensured by means of pre-shared key secret-password.
The aes-ccmp cipher will be used for unicast traffic. Protected Management Frames or pmf
must be set to required in this mode.
Scenario
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1+BXA+m7n2qBRRK4TIDgostv80eTFChhcU= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1+BXA+m7n2qBRRK4TIDgostv80eTFChhcU= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm sae set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security passphrase secret-password set interfaces wlan wlan0 type station network 1 security pmf required
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=7.36 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.36 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 2.357/4.860/7.363/2.503 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX197/Ycgn5vjva2gJCwISPcfcdCw/cBkpzI= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp-256 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX18QX6lQ3yVQ38j9YzROX+k93Yj6iA7OCZY= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-128 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 14: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 15: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX18jQ32lRmxPceOZ9ydWeQ5tvIFwMorkv2k= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-256 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA2/WPA3-Personal Transition Mode
Description
In this example, the wlan1 interface will be configured in WPAv2/WPAv3 personal
mode, also known as WPAv3 transition mode, where the security is ensured by means of pre-shared
key secret-password. The aes-ccmp cipher will be used for unicast traffic. Protected
Management Frames or pmf must be set to optional in this mode.
Scenario
Note
This is a transition mode intended to provide connectivity to WPAv2-capable stations. WPAv3-capable stations will use this security mode when connecting to the device.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security akm psk-256 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX19qxkhX3tJGuEc6vCFjtxLB5xfNaS3SMFU= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security akm psk-256 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX19qxkhX3tJGuEc6vCFjtxLB5xfNaS3SMFU= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm psk set interfaces wlan wlan0 type station network 1 security akm psk-256 set interfaces wlan wlan0 type station network 1 security akm sae set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security passphrase secret-password set interfaces wlan wlan0 type station network 1 security pmf required
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=7.07 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.40 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.399/4.734/7.070/2.336 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security akm psk-256 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX18jAQJ+2SY1NJBVr97o7P50V6ZBQLnBb98= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp-256 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security akm psk-256 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX18FrOyX29xtCsT/+0pRnCWx8JzqEzKt2VA= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-128 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 14: Set the following configuration in DUT0:
set interfaces bridge br0 set interfaces ethernet eth2 bridge-group bridge br0 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 15: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security akm psk set interfaces wlan wlan1 type access-point security akm psk-256 set interfaces wlan wlan1 type access-point security akm sae set interfaces wlan wlan1 type access-point security encrypted-passphrase U2FsdGVkX1/Vug9RXZid5sIOlSVrkCQps9TElnuDgkE= set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-256 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA-Enterprise Mode
Description
In this example, the wlan1 interface will be configured in WPA enterprise
mode, where security is ensured by means of radius server 10.215.168.1.
The aes-ccmp and tkip ciphers will be used for unicast traffic.
Scenario
Warning
WPA-Enterprise is considered no longer secure. Use WPA/WPAv2-Enterprise instead if legacy devices are present in your deployment.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX19oNahI4UZkli+j9FkZTbiwRNIRGVqLDLKh1+ZAuBMF0pnKrRmr6H8gwYNyRMN0ofb0Uf1jSPhXFA==
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX19oNahI4UZkli+j9FkZTbiwRNIRGVqLDLKh1+ZAuBMF0pnKrRmr6H8gwYNyRMN0ofb0Uf1jSPhXFA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm dot1x set interfaces wlan wlan0 type station network 1 security framework wpav1 set interfaces wlan wlan0 type station network 1 security eap-method mschapv2 set interfaces wlan wlan0 type station network 1 security identity testing set interfaces wlan wlan0 type station network 1 security passphrase password
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=4.96 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.33 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.329/3.644/4.960/1.316 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Show output
Configuration path: [interfaces bridge br0] already exists
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX19oNahI4UZkli+j9FkZTbiwRNIRGVqLDLKh1+ZAuBMF0pnKrRmr6H8gwYNyRMN0ofb0Uf1jSPhXFA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX19oNahI4UZkli+j9FkZTbiwRNIRGVqLDLKh1+ZAuBMF0pnKrRmr6H8gwYNyRMN0ofb0Uf1jSPhXFA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA2-Enterprise Mode
Description
In this example, the wlan1 interface will be configured in WPAv2 enterprise
mode, where security is ensured by means of radius server 10.215.168.1.
The aes-ccmp and tkip ciphers will be used for unicast traffic.
Scenario
Warning
The tkip unicast cipher is considered unsafe. Use aes-ccmp instead.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/3fGm+CdQOFRY9kYWmHRBSn1XLdS9MCD8M/+5WuRJBtk5IAhVx0XZ9HKZ5r4C6K27PAcVFWm0Yxg==
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/3fGm+CdQOFRY9kYWmHRBSn1XLdS9MCD8M/+5WuRJBtk5IAhVx0XZ9HKZ5r4C6K27PAcVFWm0Yxg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm dot1x set interfaces wlan wlan0 type station network 1 security pairwise-ciphers tkip set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security eap-method mschapv2 set interfaces wlan wlan0 type station network 1 security identity testing set interfaces wlan wlan0 type station network 1 security passphrase password
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.28 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.34 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.344/4.310/6.276/1.966 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Show output
Configuration path: [interfaces bridge br0] already exists
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/3fGm+CdQOFRY9kYWmHRBSn1XLdS9MCD8M/+5WuRJBtk5IAhVx0XZ9HKZ5r4C6K27PAcVFWm0Yxg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/3fGm+CdQOFRY9kYWmHRBSn1XLdS9MCD8M/+5WuRJBtk5IAhVx0XZ9HKZ5r4C6K27PAcVFWm0Yxg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA/WPA2-Enterprise Mode
Description
In this example, the wlan1 interface will be configured in WPA/WPAv2 enterprise
mode, also known as WPAv2 mixed mode, where security is ensured by means of radius
server 10.215.168.1. The aes-ccmp and tkip ciphers will be used for unicast traffic.
Scenario
Warning
This mode was originally intended to provide WPAv2 security while supporting legacy WPA stations. Since stations can connect using WPA security, which is considered unsafe, only use this mode if legacy devices are present in your deployment.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX18H94uZvmcPM3Q2gC5OON3waySEJ3DdTyVbf5DL0B/5dRNxn+MD/c3HAYuxQCcHofKfEo4HpLx4cQ==
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX18H94uZvmcPM3Q2gC5OON3waySEJ3DdTyVbf5DL0B/5dRNxn+MD/c3HAYuxQCcHofKfEo4HpLx4cQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm dot1x set interfaces wlan wlan0 type station network 1 security framework wpav1 set interfaces wlan wlan0 type station network 1 security pairwise-ciphers tkip set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security eap-method mschapv2 set interfaces wlan wlan0 type station network 1 security identity testing set interfaces wlan wlan0 type station network 1 security passphrase password
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.25 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.44 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 2.435/4.342/6.249/1.907 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Show output
Configuration path: [interfaces bridge br0] already exists
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX18H94uZvmcPM3Q2gC5OON3waySEJ3DdTyVbf5DL0B/5dRNxn+MD/c3HAYuxQCcHofKfEo4HpLx4cQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers tkip set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers tkip set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX18H94uZvmcPM3Q2gC5OON3waySEJ3DdTyVbf5DL0B/5dRNxn+MD/c3HAYuxQCcHofKfEo4HpLx4cQ== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security wpav1 pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA3-Enterprise Only Mode
Description
In this example, the wlan1 interface will be configured in WPAv3 enterprise
mode, where security is ensured by means of radius server 10.215.168.1.
The aes-ccmp cipher will be used for unicast traffic. Protected Management Frames or
pmf must be set to required in this mode.
Scenario
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/XIvTk40/GSjWnSa/QXFC+ZrMmXZCSGjfiNc4dbvGwca06uTfYEYzasPTwpQ0iJJh60IwgJLNbXA==
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/XIvTk40/GSjWnSa/QXFC+ZrMmXZCSGjfiNc4dbvGwca06uTfYEYzasPTwpQ0iJJh60IwgJLNbXA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm dot1x-256 set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security eap-method mschapv2 set interfaces wlan wlan0 type station network 1 security identity testing set interfaces wlan wlan0 type station network 1 security passphrase password set interfaces wlan wlan0 type station network 1 security pmf required
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=10.1 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=3.46 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 2ms rtt min/avg/max/mdev = 3.461/6.790/10.119/3.329 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Show output
Configuration path: [interfaces bridge br0] already exists
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/XIvTk40/GSjWnSa/QXFC+ZrMmXZCSGjfiNc4dbvGwca06uTfYEYzasPTwpQ0iJJh60IwgJLNbXA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp-256 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/XIvTk40/GSjWnSa/QXFC+ZrMmXZCSGjfiNc4dbvGwca06uTfYEYzasPTwpQ0iJJh60IwgJLNbXA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-128 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 14: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/XIvTk40/GSjWnSa/QXFC+ZrMmXZCSGjfiNc4dbvGwca06uTfYEYzasPTwpQ0iJJh60IwgJLNbXA== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 15: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-256 set interfaces wlan wlan1 type access-point security pmf required set interfaces wlan wlan1 type access-point ssid network_5GHz
WPA2/WPA3-Enterprise Transition Mode
Description
In this example, the wlan1 interface will be configured in WPAv2/WPAv3 enterprise
mode, also known as WPAv3 transition mode, where security is ensured by means of radius
server 10.215.168.1. The aes-ccmp cipher will be used for unicast traffic. Protected
Management Frames or pmf must be set to optional in this mode.
Scenario
Note
This is a transition mode aimed at providing connectivity to WPAv2-capable stations. WPAv3-capable stations will use this security mode when connecting to the device.
Step 1: Set the following configuration in DUT0:
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 2: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf optional set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/YyX419l7XgJDJf0Ojq+fPsIT1x6kZSPAJ4eF1h2tj/5GjlF5bG0AC2SIhJPOKIsVxGHQ50FZrVg==
Step 3: Set the following configuration in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces bridge br0 address 10.215.168.64/24 set interfaces bridge br0 address 192.168.100.1/24 set interfaces ethernet eth2 bridge-group bridge br0 set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp set interfaces wlan wlan1 type access-point security pmf optional set interfaces wlan wlan1 type access-point ssid network_5GHz set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/YyX419l7XgJDJf0Ojq+fPsIT1x6kZSPAJ4eF1h2tj/5GjlF5bG0AC2SIhJPOKIsVxGHQ50FZrVg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Configure the MON device to connect to network_5GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi1 bandwidth 20MHz set interfaces wlan wlan0 phy wifi1 set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f0 set interfaces wlan wlan0 type station network 1 ssid network_5GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm dot1x set interfaces wlan wlan0 type station network 1 security akm dot1x-256 set interfaces wlan wlan0 type station network 1 security pairwise-ciphers aes-ccmp set interfaces wlan wlan0 type station network 1 security framework rsn set interfaces wlan wlan0 type station network 1 security eap-method mschapv2 set interfaces wlan wlan0 type station network 1 security identity testing set interfaces wlan wlan0 type station network 1 security passphrase password set interfaces wlan wlan0 type station network 1 security pmf optional
Step 5: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=6.49 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=2.39 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 2.394/4.443/6.493/2.050 ms
Step 6: Run command configure at DUT0 and expect this output:
Step 7: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output:
Step 8: Run command set interfaces bridge br0 at DUT0 and expect this output:
Show output
Configuration path: [interfaces bridge br0] already exists
Step 9: Run command commit at DUT0 and expect this output:
Step 10: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/YyX419l7XgJDJf0Ojq+fPsIT1x6kZSPAJ4eF1h2tj/5GjlF5bG0AC2SIhJPOKIsVxGHQ50FZrVg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 11: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-ccmp-256 set interfaces wlan wlan1 type access-point security pmf optional set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 12: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/YyX419l7XgJDJf0Ojq+fPsIT1x6kZSPAJ4eF1h2tj/5GjlF5bG0AC2SIhJPOKIsVxGHQ50FZrVg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 13: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-128 set interfaces wlan wlan1 type access-point security pmf optional set interfaces wlan wlan1 type access-point ssid network_5GHz
Step 14: Set the following configuration in DUT0:
set interfaces bridge br0 address 10.215.168.64/24 set interfaces ethernet eth2 bridge-group bridge br0 set system aaa group radius radius_group server radius_server set system aaa list radius_list method 1 group radius radius_group set system aaa server radius radius_server address 10.215.168.1 set system aaa server radius radius_server encrypted-key U2FsdGVkX1/YyX419l7XgJDJf0Ojq+fPsIT1x6kZSPAJ4eF1h2tj/5GjlF5bG0AC2SIhJPOKIsVxGHQ50FZrVg== set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 15: Modify the following configuration lines in DUT0:
set controllers wlan installation indoor set controllers wlan radios wifi0 band 5GHz set controllers wlan radios wifi0 bandwidth 80MHz set controllers wlan radios wifi0 channel 36 set controllers wlan radios wifi0 mode 802.11ac set controllers wlan radios wifi0 mode 802.11ax set controllers wlan radios wifi0 mode 802.11n set interfaces wlan wlan1 bridge-group bridge br0 set interfaces wlan wlan1 phy wifi0 set interfaces wlan wlan1 type access-point security aaa authentication radius_list set interfaces wlan wlan1 type access-point security akm dot1x set interfaces wlan wlan1 type access-point security akm dot1x-256 set interfaces wlan wlan1 type access-point security pairwise-ciphers aes-gcmp-256 set interfaces wlan wlan1 type access-point security pmf optional set interfaces wlan wlan1 type access-point ssid network_5GHz