12-23
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Configuring Management Frame Protection
Configuring Client MFPThe following CLI commands can be used to display and clear Client MFP statistics on the access point
console for a Dot11Radio interface.
Command Description
ids mfp client required This SSID configuration command enables Client MFP as
required on a particular SSID. The Dot11Radio interface is reset
when the command is executed if the SSID is bound to the
Dot11Radio interface. The command also expects that the SSID
is configured with WPA Version 2 mandatory. If the SSID is not
configured with WPAv2 mandatory, an error message displays
and the command is rejected.
The no form of this command disables Client MFP on a particular
SSID. The Dot11Radio interface is reset when the command is
executed if the SSID is bound to the Dot11Radio interface.
ids mfp client optional This ssid configuration command enables Client MFP as optional
on a particular SSID. The Dot11Radio interface is reset when the
command is executed if the SSID is bound to the Dot11Radio
interface. Client MFP is enabled for this particular SSID if the
SSID is WPAv2 capable, otherwise Client MFP is disabled.
authentication key management
wpa version {1|2}
Use this command to explicitly specify which WPA Version to
use for WPA key management for a particular SSID.
dot11 ids mfp {generator |
detector}
Configures the access point as an MFP generator. When enabled,
the access point protects the management frames it transmits by
adding a message integrity check information element (MIC IE)
to each frame. Any attempt to copy, alter, or replay the frame will
invalidate the MIC, causing any receiving access point that is
configured to detect (validate) MFP frames to report the
discrepancy. The access point must be a member of a WDS.
Configures the access point as an MFP detector. When enabled,
the access point validates management frames it receives from
other access points. If it receives any frame that does not contain
a valid, and expected, MIC IE, it will report the discrepancy to the
WDS. The access point must be a member of a WDS.
sntp server server IP address Enter the name or ip address of the SNTP server.
dot11 ids mfp distributor Beginning in global configuration mode, use this command to
configure the WDS as an MFP distributor. When enabled, the
WDS manages signature keys, used to create the MIC IEs, and
securely transfers them between generators and detectors.
Command Description
show dot11 ids mfp client statistics Use this command to display Client MFP statistics on the
access point console for a Dot11Radio interface.
clear dot11 ids mfp client statistics Use this command to clear the Client MFP statistics.