Manuals / Brands / Photography / Film Camera / Cisco Systems / Photography / Film Camera

Cisco Systems OL-29225-01 Configuring Management Frame Protection

1 514

Download 514 pages, 6.36 Mb

12-21

Cisco IOS Software Configuration Guide for Cisco Aironet Access Points

OL-30644-01

Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Configuring Management Frame Protection

Step7 Click Apply.

Beginning in privileged EXEC mode, perform these steps to configure 802.11r using the access point

CLI:

Configuring Management Frame Protection

Management Frame Protection operation requires a WDS. You can configure MFP on an access point

and WDS manually.

Note Without a management platform, MFP cannot report detected intrusions and so has limited effectiveness.

For complete protection, you should also configure an MFP access point for Simple Network Transfer

Protocol (SNTP).

Management Frame Protection

Management Frame Protection provides security features for the management messages passed between

Access Point and Client stations. MFP consists of two functional components: Infrastructure MFP and

Client MFP.

Infrastructure MFP provides Infrastructure support. Infrastructure MFP utilizes a message integrity

check (MIC) across broadcast and directed management frames which can assist in detection of rogue

devices and denial of service attacks. Client MFP provides client support. Client MFP protects

authenticated clients from spoofed frames, by preventing many of the common attacks against WLANs

from becoming effective.

Client MFP Overview

Client MFP encrypts class 3 management frames sent between access points and CCXv5-capable client

stations, so that both AP and client can take preventative action by dropping spoofed class 3 management

frames (i.e. management frames passed between an AP and a client station that is authenticated and

Command Purpose

Step1 configure terminal Enters the global configuration mode.

Step2 dot11 ssid <ssid> Configures the SSID.

Step3 authentication key-management

wpa version 2 dot11r

Configures 802.11r on an access point.

Step4 interface dot11radio {0 | 1} Enters interface configuration mode for the radio interface. The

2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.

Step5 dot11 dot11r pre-authentication

{over-air | over-ds}

Enables or disables the over-air or over-ds transition.

Step6 dot11 dot11r re-association timer

<value>

Configures the reassociation timer.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Preface Audience Purpose Configuration Procedures and Examples Organization Page Conventions Related Publications Page Page Overview of Access Point Features Radios in Access Points New Features and Platforms in this Release New Access Point Platforms Supported Support for Cisco Aironet 3700 Series access point Support for Cisco Aironet 2700 Series access point Support for Cisco Aironet 1700 Series access point New Features Multiple Port Support for Cisco Aironet 1550 Series Outdoor Access Points Automatic Configuring of the Access Point Support for L2TPv3 Configuration and CLI Changes in this Release Management Options Roaming Client Devices Network Configuration Examples Root Access Point Repeater Access Point Bridges Workgroup Bridge Central Unit in an All-Wireless Network Access point Using the Web-Browser Interface Using the Web-Browser Interface for the First Time Using the Management Pages in the Web-Browser Interface Using Action Buttons Character Restrictions in Entry Fields Enabling HTTPS for Secure Browsing CLI Configuration Example Deleting an HTTPS Certificate CLI Commands for Deleting an HTTPS Certificate Using Online User Guides Disabling the Web-Browser Interface Page Using the Command-Line Interface Cisco IOS Command Modes Getting Help Abbreviating Commands Using the no and Default Forms of Commands Understanding CLI Messages Using Command History Changing the Command History Buffer Size Recalling Commands Disabling the Command History Feature Using Editing Features Enabling and Disabling Editing Features Editing Commands Through Keystrokes Editing Command Lines that Wrap Searching and Filtering Output of show and more Commands Accessing the CLI Opening the CLI with Telnet Opening the CLI with Secure Shell Page Configuring the Access Point for the First Time Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the MODE Button Resetting to Default Settings Using the GUI Resetting to Default Settings Using the CLI Logging into the Access Point Obtaining and Assigning an IP Address Default IP Address Behavior Connecting to the 1040, 1140, 1240, 1250, 1260, and 2600 Series Access Points Locally Connecting to the 1550 Series Access Point Locally Default Radio Settings Assigning Basic Settings Page Page Page Default Settings on the Easy Setup Page Understanding the Security Settings Using VLANs Security Types for an SSID Page Limitations of Security Settings 4-15 CLI Configuration Examples Example: No Security for Radio 2.4GHz 4-16 Example: Static WEP for Radio 2.4 GHz 4-17 Example: EAP Authentication Note The following warning message appears if your radio clients are using EAP-FAST and you do not 4-18 4-19 Example: WPA2 for Radio 2.4GHz 4-20 Configuring System Power Settings Access Points Using the AC Power Adapter Using a Switch Capable of IEEE 802.3af Power Negotiation Using a Switch That Does Not Support IEEE 802.3af Power Negotiation Using a Power Injector Support for 802.11n Performance on 1250 Series Access Points with Standard 802.3af PoE 1250 Series Power Modes Support for 802.11ac Channel Widths for 802.11ac Power Management for 802.11ac Assigning an IP Address Using the CLI Using a Telnet Session to Access the CLI Configuring the 802.1X Supplicant Creating a Credentials Profile Applying the Credentials to an Interface or SSID Applying the Credentials Profile to the Wired Port Applying the Credentials Profile to an SSID Used For the Uplink Creating and Applying EAP Method Profiles Configuring IPv6 Page Configuring DHCPv6 address IPv6 Neighbor Discovery Page Configuring IPv6 Access Lists RADIUS Configuration IPv6 WDS Support CDPv6 Support: RA filtering Automatic Configuring of the Access Point Enabling Autoconfig Prepare a Configuration Information File Enable environmental variables Schedule the Configuration Information File Download Enabling Autoconfig via a Boot File Checking the Autoconfig Status Debugging Autoconfig Page Administrating the Access Point Disabling the Mode Button Preventing Unauthorized Access to Your Access Point Protecting Access to Privileged EXEC Commands Default Password and Privilege Level Configuration Setting or Changing a Static Enable Password Page Protecting Enable and Enable Secret Passwords with Encryption Configuring Username and Password Pairs Configuring Multiple Privilege Levels Setting the Privilege Level for a Command Logging Into and Exiting a Privilege Level Configuring Easy Setup Configuring Spectrum Expert Mode Controlling Access Point Access with RADIUS Default RADIUS Configuration Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Displaying the RADIUS Configuration Controlling Access Point Access with TACACS+ Default TACACS+ Configuration Configuring TACACS+ Login Authentication Page Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Displaying the TACACS+ Configuration Configuring Ethernet Speed and Duplex Settings Configuring the Access Point for Wireless Network Management Configuring the Access Point for Local Authentication and Authorization Configuring the Authentication Cache and Profile 5-23 Configuring the Access Point to Provide DHCP Service Setting up the DHCP Server Page Monitoring and Maintaining the DHCP Server Access Point Show Commands Clear Commands Debug Command Configuring the Access Point for Secure Shell Understanding SSH Configuring SSH Support for Secure Copy Protocol Configuring Client ARP Caching Understanding Client ARP Caching Optional ARP Caching Configuring ARP Caching Managing the System Time and Date Understanding Simple Network Time Protocol Configuring SNTP Configuring Time and Date Manually Setting the System Clock Displaying the Time and Date Configuration Configuring the Time Zone Configuring Summer Time (Daylight Saving Time) Page Defining HTTP Access Configuring a System Name and Prompt Default System Name and Prompt Configuration Configuring a System Name Understanding DNS Default DNS Configuration Setting Up DNS Displaying the DNS Configuration Creating a Banner Default Banner Configuration Configuring a Message-of-the-Day Login Banner Page Configuring a Login Banner Upgrading Autonomous Cisco Aironet Access Points to Lightweight Mode Page Configuring Radio Settings Enabling the Radio Interface Configuring the Role in Radio Network Page Page Universal Workgroup Bridge Mode Point-to-point and Multi Point bridging support for 802.11n platforms Configuring Dual-Radio Fallback Radio Tracking Fast Ethernet Tracking MAC-Address Tracking Configuring Radio Data Rates Access Points Send Multicast and Management Frames at Highest Basic Rate Page Page Configuring MCS Rates Enabling 11ac MCS rates Configuring Radio Transmit Power Page Limiting the Power Level for Associated Client Devices Configuring Radio Channel Settings Channel Widths for 802.11n Dynamic Frequency Selection Page Radar Detection on a DFS Channel CLI Commands Confirming that DFS is Enabled Configuring a Channel Blocking Channels from DFS Selection Setting the 802.11n Guard Interval Enabling and Disabling World Mode Disabling and Enabling Short Radio Preambles Configuring Transmit and Receive Antennas Page Enabling and Disabling Gratuitous Probe Response Disabling and Enabling Aironet Extensions Configuring the Ethernet Encapsulation Transformation Method Enabling and Disabling Reliable Multicast to Workgroup Bridges Page Enabling and Disabling Public Secure Packet Forwarding Configuring Protected Ports Configuring the Beacon Period and the DTIM Configure RTS Threshold and Retries Configuring the Maximum Data Packet Retries Configuring the Fragmentation Threshold Enabling Short Slot Time for 802.11g Radios Performing a Carrier Busy Test Configuring VoIP Packet Handling Page Page Configuring ClientLink Using the CLI to Configure ClientLink Debugging Radio Functions 802.11r Configuration Page Configuring Multiple SSIDs Understanding Multiple SSIDs Configuring Multiple SSIDs Creating an SSID Globally Page Viewing SSIDs Configured Globally Using a RADIUS Server to Restrict SSIDs Configuring Multiple Basic SSIDs Requirements for Configuring Multiple BSSIDs Guidelines for Using Multiple BSSIDs Configuring Multiple BSSIDs Displaying Configured BSSIDs Assigning IP Redirection for an SSID Guidelines for Using IP Redirection Configuring IP Redirection Including SSIDL IE in an SSID Beacon NAC Support for MBSSID Page Configuring NAC for MBSSID 7-14 Configuring Spanning Tree Protocol Understanding Spanning Tree Protocol STP Overview Access Point/Bridge Protocol Data Units Election of the Spanning-Tree Root Spanning-Tree Timers Creating the Spanning-Tree Topology Spanning-Tree Interface States Blocking State Listening State Learning State Forwarding State Disabled State Configuring STP Features Default STP Configuration Configuring STP Settings 8-10 STP Configuration Examples Root Bridge Without VLANs This example shows the configuration of a root bridge with no VLANs configured and with STP enabled: 8-11 Non-Root Bridge Without VLANs 8-12 Root Bridge with VLANs This example shows the configuration of a root bridge with VLANs configured with STP enabled: 8-13 8-14 Non-Root Bridge with VLANs This example shows the configuration of a non-root bridge with VLANs configured with STP enabled: 8-15 Displaying Spanning-Tree Status Configuring an Access Point as a Local Authenticator Understanding Local Authentication Configuring a Local Authenticator Guidelines for Local Authenticators Configuration Overview Configuring the Local Authenticator Access Point Page Page Configuring Other Access Points to Use the Local Authenticator Configuring EAP-FAST Settings Configuring PAC Settings PAC Expiration Times Generating PACs Manually Configuring an Authority ID Configuring Server Keys Possible PAC Failures Caused by Access Point Clock Limiting the Local Authenticator to One Authentication Type Unblocking Locked Usernames Viewing Local Authenticator Statistics Using Debug Messages Configuring WLAN Authentication and Encryption Understanding Authentication and Encryption Mechanisms Page Page Page Understanding Encryption Modes Configuring Encryption Modes Creating Static WEP Keys WEP Key Restrictions Example WEP Key Setup Enabling Cipher Suites Matching Cipher Suites with WPA or CCKM Page Enabling and Disabling Broadcast Key Rotation Page Configuring Authentication Types Understanding Authentication Types Open Authentication to the Access Point WEP Shared Key Authentication to the Access Point EAP Authentication to the Network MAC Address Authentication to the Network Combining MAC-Based, EAP, and Open Authentication Using CCKM for Authenticated Clients Using WPA Key Management Page Configuring Authentication Types Assigning Authentication Types to an SSID Page Page Page Configuring WPA Migration Mode for Legacy WEP SSIDs Configuring Additional WPA Settings Setting a pre-shared Key Configuring Group Key Updates Configuring MAC Authentication Caching Configuring Authentication Holdoffs, Timeouts, and Intervals Creating and Applying EAP Method Profiles for the 802.1X Supplicant Creating an EAP Method Profile Applying an EAP Profile to the Fast Ethernet Interface Page Applying an EAP Profile to an Uplink SSID Matching Access Point and Client Device Authentication Types Page Page Guest Access Management Guest Account Creation Customized Guest Access Pages Page Page Page Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services Understanding WDS Role of the WDS Device Role of Access Points Using the WDS Device Understanding Fast Secure Roaming Understanding Wireless Intrusion Detection Services Configuring WDS Guidelines for WDS Requirements for WDS Configuration Overview Configuring Access Points as Potential WDS Devices Page Page Configuring Access Points to use the WDS Device Page Configuring the Authentication Server to Support WDS Page Configuring WDS Only Mode Viewing WDS Information Using Debug Messages Configuring Fast Secure Roaming Requirements for Fast Secure Roaming Configuring Access Points to Support Fast Secure Roaming Page CLI Configuration Example Support for 802.11r Configuring Management Frame Protection Management Frame Protection Client MFP Overview Client MFP For Access Points in Root mode Configuring Client MFP Protection of Management Frames with 802.11w Configuring Radio Management CLI Configuration Example Configuring Access Points to Participate in WIDS Configuring the Access Point for Scanner Mode Configuring the Access Point for Monitor Mode Displaying Monitor Mode Statistics Configuring Monitor Mode Limits Configuring an Authentication Failure Limit Configuring RADIUS and TACACS+ Servers Configuring and Enabling RADIUS Understanding RADIUS RADIUS Operation Page Configuring RADIUS Default RADIUS Configuration Identifying the RADIUS Server Host Page Configuring RADIUS Login Authentication Page Defining AAA Server Groups Page Configuring RADIUS Authorization for User Privileged Access and Network Services Configuring Packet of Disconnect Selecting the CSID Format Starting RADIUS Accounting Configuring Settings for All RADIUS Servers Configuring the Access Point to Use Vendor-Specific RADIUS Attributes Configuring the Access Point for Vendor-Proprietary RADIUS Server Communication Configuring WISPr RADIUS Attributes Displaying the RADIUS Configuration RADIUS Attributes Sent by the Access Point Page Page Configuring and Enabling TACACS+ Understanding TACACS+ TACACS+ Operation Configuring TACACS+ Default TACACS+ Configuration Identifying the TACACS+ Server Host and Setting the Authentication Key Configuring TACACS+ Login Authentication Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services Starting TACACS+ Accounting Displaying the TACACS+ Configuration Page Configuring VLANs Understanding VLANs Incorporating Wireless Devices into VLANs Configuring VLANs Configuring a VLAN Step 1 - Enabling the VLAN on the radio and Ethernet ports Step 2 - Creating an SSID and assigning it to a VLAN Step 3 - Assigning encryption settings to a VLAN on a given radio interface Assigning Names to VLANs Guidelines for Using VLAN Names Creating a VLAN Name Using a RADIUS Server to Assign Users to VLANs Viewing VLANs Configured on the Access Point 14-9 VLAN Configuration Example 14-11 Table14-2 shows the commands needed to configure the three VLANs in this example. Table14-2 Configuration Commands for VLAN Example Configuring VLAN 1 Configuring VLAN 2 Configuring VLAN 3 Table14-3 Results of Example Configuration Commands Page Configuring QoS Understanding QoS for Wireless LANs QoS for Wireless LANs Versus QoS on Wired LANs Impact of QoS on a Wireless LAN Precedence of QoS Settings Using Wi-Fi Multimedia Mode Using Band Select Configuring QoS Configuration Guidelines Configuring QoS Using the Web-Browser Interface Page Page The QoS Policies Advanced Page QoS Element for Wireless Phones IGMP Snooping AVVID Priority Mapping WiFi Multimedia (WMM) Rate Limiting Adjusting Radio Access Categories Configuring Nominal Rates Optimized Voice Settings Configuring Call Admission Control Configuring the Radio Enabling Admission Control on the SSID Troubleshooting Admission Control Configuring Streams Page Configuring Filters Understanding Filters Configuring Filters Using the CLI Configuring Filters Using the Web-Browser Interface Configuring and Enabling MAC Address Filters Creating a MAC Address Filter Creating a MAC Address Filter - Using CLI Using MAC Address ACLs to Block or Allow Client Association to the Access Point Using MAC Address ACLs to Block or Allow Client Association to the Access Point via CLI Configuring MAC Address Authentication Determining the source of MAC Authentication Using a local MAC address list Using the AP internal RADIUS server for MAC address authentication Using an external RADIUS server for MAC address authentication Configuring the SSID for MAC Authentication Creating a Time-Based ACL ACL Logging Configuring and Enabling IP Filters Creating an IP Filter Configuring and Enabling EtherType Filters Creating an EtherType Filter Page Page Configuring CDP Understanding CDP Configuring CDP Default CDP Configuration Configuring the CDP Characteristics Disabling and Enabling CDP Disabling and Enabling CDP on an Interface Monitoring and Maintaining CDP 17-6 Enabling CDP Logging Page Configuring SNMP Understanding SNMP SNMP Versions SNMP Manager Functions SNMP Agent Functions SNMP Community Strings Using SNMP to Access MIB Variables Configuring SNMP Default SNMP Configuration Enabling the SNMP Agent Configuring Community Strings Page Specifying SNMP-Server Group Names Configuring SNMP-Server Hosts Configuring SNMP-Server Users Configuring Trap Managers and Enabling Traps Page Setting the Agent Contact and Location Information Using the snmp-server view Command SNMP Examples Displaying SNMP Status Configuring Repeater and Standby Access Points and Workgroup Bridge Mode Understanding Repeater Access Points Configuring a Repeater Access Point Default Configuration Guidelines for Repeaters Setting Up a Repeater Aligning Antennas Verifying Repeater Operation Setting Up a Repeater As a WPA2 Client Setting Up a Repeater As a EAP-FAST Client Understanding Hot Standby Configuring a Hot Standby Access Point Page Verifying Standby Operation Understanding Workgroup Bridge Mode Treating Workgroup Bridges as Infrastructure Devices or as Client Devices Configuring a Workgroup Bridge for Roaming Configuring a Workgroup Bridge for Limited Channel Scanning Configuring the Limited Channel Set Ignoring the CCX Neighbor List Configuring a Client VLAN Workgroup Bridge VLAN Tagging Configuring Workgroup Bridge Mode Page Page Page Using Workgroup Bridges in a Lightweight Environment Guidelines for Using Workgroup Bridges in a Lightweight Environment Sample Workgroup Bridge Association Verification Enabling VideoStream Support on Workgroup Bridges Page Managing Firmware and Configurations Working with the Flash File System Displaying Available File Systems Setting the Default File System Displaying Information About Files on a File System Changing Directories and Displaying the Working Directory Creating and Removing Directories Copying Files Deleting Files Creating, Displaying, and Extracting tar Files Creating a tar File Displaying the Contents of a tar File Extracting a tar File Displaying the Contents of a File Working with Configuration Files Guidelines for Creating and Using Configuration Files Configuration File Types and Location Creating a Configuration File by Using a Text Editor Copying Configuration Files by Using TFTP Preparing to Download or Upload a Configuration File by Using TFTP Downloading the Configuration File by Using TFTP Uploading the Configuration File by Using TFTP Copying Configuration Files by Using FTP Preparing to Download or Upload a Configuration File by Using FTP Downloading a Configuration File by Using FTP Uploading a Configuration File by Using FTP Copying Configuration Files by Using RCP Preparing to Download or Upload a Configuration File by Using RCP Downloading a Configuration File by Using RCP Uploading a Configuration File by Using RCP Clearing Configuration Information Deleting a Stored Configuration File Working with Software Images Image Location on the Access Point tar File Format of Images on a Server or Cisco.com Copying Image Files by Using TFTP Preparing to Download or Upload an Image File by Using TFTP Downloading an Image File by Using TFTP Page Uploading an Image File by Using TFTP Copying Image Files by Using FTP Preparing to Download or Upload an Image File by Using FTP Downloading an Image File by Using FTP Page Uploading an Image File by Using FTP Copying Image Files by Using RCP Preparing to Download or Upload an Image File by Using RCP Page Downloading an Image File by Using RCP Page Uploading an Image File by Using RCP Reloading the Image Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Page Configuring L2TPv3 Over UDP/IP Prerequisites Configuring L2TP Class Configuring Pseudowire Class Relationship between L2TP Class and Pseudowire Class Configuring the Tunnel interface Configure Tunnel management Interface Mapping SSID to the Tunnel/Xconnect Configuring TCP mss adjust Configuring UDP checksum Configuring System Message Logging Understanding System Message Logging Configuring System Message Logging System Log Message Format Default System Message Logging Configuration Disabling and Enabling Message Logging Setting the Message Display Destination Device Enabling and Disabling Timestamps on Log Messages Enabling and Disabling Sequence Numbers in Log Messages Defining the Message Severity Level Limiting Syslog Messages Sent to the History Table and to SNMP Setting a Logging Rate Limit Configuring the System Logging Facility Displaying the Logging Configuration Page Troubleshooting Checking the LED Indicators Checking Power Low Power Condition Checking Basic Settings SSID WEP Keys Security Settings Resetting to the Default Configuration Using the MODE Button Using the Web Browser Interface Using the CLI Reloading the Access Point Image Using the MODE button Using the Web Browser Interface Browser HTTP Interface Browser TFTP Interface Using the CLI 23-10 Step9 Enter the set command to check your bootloader entries. Obtaining the Access Point Image File Obtaining TFTP Server Software Image Recovery on the 1520 Access Point Page Page Page A Protocol Filters Page Page Page Page Page B Supported MIBs MIB List Using FTP to Access the MIB Files C Error and Event Messages Conventions Software Auto Upgrade Messages Page Association Management Messages Unzip Messages System Log Messages 802.11 Subsystem Messages Page Page Page Page Page Page Page Page Page Page Page Page Inter-Access Point Protocol Messages Local Authenticator Messages Page Page WDS Messages Mini IOS Messages Access Point/Bridge Messages Cisco Discovery Protocol Messages External Radius Server Error Messages LWAPP Error Messages Sensor Messages SNMP Error Messages SSH Error Messages Page Page GLOSSARY A B C D E F G I M O P Q S T U W