Cisco Systems 0L-11350-01 Configuring Client MFP

12-27

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-11350-01

Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Management Frame Protection

Client MFP can be configured as either required or optional for a particular SSID. To configure Client

MFP as required, you must configure the SSID with key management WPA version 2 mandatory. If the

key management is not WPAv2 mandatory, an error message is displayed and your CLI command is

rejected. If you attempt to change the key management with Client MFP configured as required and key

management WPAv2, an error message displays and rejects your CLI command. When configured as

optional, Client MFP is enabled if the SSID is capable of WPAv2, otherwise Client MFP is disabled.

Configuring Client MFP

The following CLI commands are used to configure Client MFP for access points in root mode.

ids mfp client required

This SSID configuration command enables Client MFP as required on a particular SSID. The

Dot11Radio interface is reset when the command is executed if the SSID is bound to the Dot11Radio

interface. The command also expects that the SSID is configured with WPA version 2 mandatory. If the

SSID is not configured with WPAv2 mandatory, an error message displays and the command is rejected.

no ids mfp client

This ssid configuration command disables Client MFP on a particular SSID. The Dot11Radio interface

is reset when the command is executed if the SSID is bound to the Dot11Radio interface.

ids mfp client optional

This ssid configuration command enables Client MFP as optional on a particular SSID. The Dot11Radio

interface is reset when the command is executed if the SSID is bound to the Dot11Radio interface. Client

MFP is enabled for this particular SSID if the SSID is WPAv2 capable, otherwise Client MFP is

disabled.

show dot11 ids mfp client statistics

Use this command to display Client MFP statistics on the access point console for a Dot11Radio

interface.

clear dot11 ids mfp client statistics

Use this command to clear the Client MFP statistics.

authentication key management wpa version {1|2}

Use this command to explicitly specify which WPA version to use for WPA key management for a

particular SSID.

Command Description

Step1 configure terminal Enter global configuration mode.

Step2 dot11 ids mfp generator Configures the access point as an MFP generator. When enabled,

the access point protects the management frames it transmits by

adding a message integrity check information element (MIC IE)

to each frame. Any attempt to copy, alter, or replay the frame will

invalidate the MIC, causing any receiving access point that is

configured to detect (validate) MFP frames to report the

discrepancy. The access point must be a member of a WDS.