12-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Configuring WDS
Switch port tracing and rogue suppression—Switch port tracing and suppression uses an RF
detection method that produces the radio MAC address of an unknown radio (a potential rogue
device). The (non-Cisco) WIDS engine derives a wired-side MAC address from the wireless MAC
address and uses it to search the switch’s BRIDGE MIB.
Excessive management frame detection—Excessive management frames indicate an attack on your
wireless LAN. An attacker might carry out a denial-of-service attack by injecting excessive
management frames over the radio to overwhelm access points which have to process the frames.
As part of the WIDS feature set, access points in scanning mode and root access points monitor radio
signals and detect excessive management frames. When they detect excessive management frames,
the access points generate a fault and send it through the WDS to the non-Cisco) WIDS engine.
Authentication/protection failure detection—Authentication/protection failure detection looks for
attackers who are either trying to overcome the initial authentication phase on a wireless LAN or to
compromise the ongoing link protection. These detection mechanisms address specific
authentication attacks:
EAPOL flood detection
MIC/encryption failures detection
MAC spoofing detection
Frame capture mode—In frame capture mode, a scanner access point collects 802.11 frames and
forwards them to the address of a WIDS engine on your network.
Note See the “Configuring Access Points to Participate in WIDS” section on page 12-26 for
instructions on configuring the access point to participate in WIDS and Configuring
Management Frame Protection, page12-21 for instructions on configuring the access point for
MFP.
802.11 Management Frame Protection (MFP)—Wireless is an inherently broadcast medium
enabling any device to eavesdrop and participate either as a legitimate or rogue device. Since control
and management frames are used by client stations to select and initiate a session with an AP, these
frames must be open. While management frames cannot be encrypted, they must be protected from
forgery. MFP is a means by which the 802.11 management frames can be integrity protected.
Configuring WDS
This section describes how to configure WDS on your network. This section contains these sections:
Guidelines for WDS, page12-6
Requirements for WDS, page12-6
Configuration Overview, page12-6
Configuring Access Points as Potential WDS Devices, page12-7
Configuring Access Points to use the WDS Device, page12-10
Configuring the Authentication Server to Support WDS, page12-12
Configuring WDS Only Mode, page12-14
Viewing WDS Information, page12-15
Using Debug Messages, page12-16