Support User Manuals

Cisco Systems OL-29225-01 Film Camera User Manual

Open as PDF

of 514

12-21

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-30644-01

Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Configuring Management Frame Protection

Step 7 Click Apply.

Beginning in privileged EXEC mode, perform these steps to configure 802.11r using the access point

CLI:

Configuring Management Frame Protection

Management Frame Protection operation requires a WDS. You can configure MFP on an access point

and WDS manually.

Note Without a management platform, MFP cannot report detected intrusions and so has limited effectiveness.

For complete protection, you should also configure an MFP access point for Simple Network Transfer

Protocol (SNTP).

Management Frame Protection

Management Frame Protection provides security features for the management messages passed between

Access Point and Client stations. MFP consists of two functional components: Infrastructure MFP and

Client MFP.

Infrastructure MFP provides Infrastructure support. Infrastructure MFP utilizes a message integrity

check (MIC) across broadcast and directed management frames which can assist in detection of rogue

devices and denial of service attacks. Client MFP provides client support. Client MFP protects

authenticated clients from spoofed frames, by preventing many of the common attacks against WLANs

from becoming effective.

Client MFP Overview

Client MFP encrypts class 3 management frames sent between access points and CCXv5-capable client

stations, so that both AP and client can take preventative action by dropping spoofed class 3 management

frames (i.e. management frames passed between an AP and a client station that is authenticated and

Command Purpose

Step 1

configure terminal Enters the global configuration mode.

Step 2

dot11 ssid <ssid> Configures the SSID.

Step 3

authentication key-management

wpa version 2 dot11r

Configures 802.11r on an access point.

Step 4

interface dot11radio {0 | 1} Enters interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step 5

dot11 dot11r pre-authentication

{over-air | over-ds}

Enables or disables the over-air or over-ds transition.

Step 6

dot11 dot11r re-association timer

<value>

Configures the reassociation timer.

previous next