12-24
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wi reless Intrusion Detection
Configuring Management Frame Protection
Protection of Management Frames with 802.11w
The current 802.11 standard defines frame types for use in the management and control of wireless links.
The management frames, included in the 802.11 protocol, are neither authenticated nor encrypted, even
when the highest level of WLAN security are used. 802.11w is the Protected Management Frames
standard for the IEEE 802.11 family of standards.
802.11w increases the security of the management frames by offering three new security pieces:
Data Origin Authenticity
Replay Detection
Robust Management Frame Protection.
The Management frames that can be protected are:
Disassociation
Deauthentication
Robust Action frames excluding Public Action frames
802.11w is also used to prevent association request replay attack. The protection offered by 802.11w is
somewhat comparable to the protection offered by Cisco Client MFP. However, 802.11w does not offer
a mechanism comparable to Cisco Infrastructure MFP.
To enable Cisco Client MFP, you need to make sure that the clients to be protected support CCXv5. To
enable 802.11w, you need to make sure that the clients to be protected support 802.11w.
Both Cisco Infrastructure MFP and 802.11w can be enabled on the same SSID. However, you should not
enable Cisco Client MFP and 802.11w on both the same SSID and the same radio.
Perform these steps to enable 802.11w:
Step1 Browse to the Security page on the access point GUI.
Step2 Select SSID Manager.
Step3 From the Client Authenticated Key Management page, you can:
Click the 11w Configuration Required radio button, to allow only clients that support 802.11w
to join the SSID.
Click the 11w Configuration Optional radio button, to allow both clients supporting 802.11w
and clients not supporting 802.11w to join the SSID.
Step4 Enter the 11w Association-comeback time.
Step5 Enter the 11w Saquery-retry time.
This CLI command is used to enable 802.11w on the access point:
ap(config-ssid)# 11w-pmf client required/optional
This CLI command is used to configure the association time out and saquery retry time interval:
ap(config-ssid)# 11w-pmf association-comeback 1000-20000ms
ap(config-ssid)# 11w-pmf saquery-retry 100-500ms