Preface
- Text Conventions
- Platform-Dependent Conventions
- Providing Feedback to Us
- Getting Help
- Documentation and Training
About This Guide
- ABOUT THIS GUIDE
  - Notational Conventions
Introduction
- WiNG CLI Structure
User Exec Mode Commands
- USER EXEC MODE COMMANDS
  - user-exec-commands
Privileged Exec Mode Commands
- PRIVILEGED EXEC MODE COMMANDS
  - privileged-exec-commands
Global Configuration Mode Commands
- GLOBAL CONFIGURATION COMMANDS
  - global-config-commands
Common Commands
- COMMON COMMANDS
  - common-commands
    - clrscr
    - commit
    - exit
    - help
    - no
    - revert
    - service
    - show
    - write
Show Commands
- SHOW COMMANDS
  - show-commands
    - show
    - adoption
    - bluetooth
    - boot
    - bonjour
    - captive-portal
    - captive-portal-page-upload (show commands)
    - cdp
    - classify-url
    - clock
    - cluster
    - cmp-factory-certs
    - commands
    - context
    - critical-resources
    - crypto
    - database
    - device-upgrade
    - dot1x
    - dpi
    - environmental-sensor
    - event-history
    - event-system-policy
    - ex3500
    - extdev
    - fabric-attach
    - file
    - file-sync
    - firewall
    - global
    - gps (show command)
    - gre
    - guest-registration
    - interface
    - iot-device-type-imagotag
    - ip
    - ip-access-list-stats
    - ipv6
    - ipv6-access-list
    - l2tpv3
    - lacp
    - ldap-agent
    - licenses
    - lldp
    - logging
    - mac-access-list-stats
    - mac-address-table
    - macauth
    - mac-auth-clients
    - mint
    - ntp
    - password-encryption
    - pppoe-client
    - privilege
    - radius
    - reload
    - rf-domain-manager
    - role
    - route-maps
    - rtls
    - running-config
    - session-changes
    - session-config
    - sessions
    - site-config-diff
    - smart-rf
    - snmpv3 (show command)
    - spanning-tree
    - startup-config
    - t5
    - terminal
    - timezone
    - traffic-shape
    - tron (show command)
    - upgrade-status
    - version
    - vrrp
    - virtual-machine
    - wireless
    - web-filter
    - what
    - wwan
Profile Commands
- PROFILES
AAA Policy
- AAA-POLICY
  - aaa-policy-commands
Auto-Provisioning Policy
- AUTO-PROVISIONING-POLICY
  - auto-provisioning-policy-commands
Association-ACL Policy
- ASSOCIATION-ACL-POLICY
  - Association-acl-policy-commands
    - deny
    - permit
    - no
Access-List Policy
- ACCESS-LIST
DHCP Policy
- DHCP-SERVER-POLICY
  - dhcp-server-policy commands
  - dhcpv6-server-policy commands
Firewall Policy
- FIREWALL-POLICY
  - firewall-policy-commands
    - acl-logging
    - alg
    - clamp
    - dhcp-offer-convert
    - dns-snoop
    - firewall
    - flow
    - ip
    - ip-mac
    - ipv6
    - ipv6-mac
    - logging
    - proxy-arp
    - proxy-nd
    - stateful-packet-inspection-12
    - storm-control
    - virtual-defragmentation
    - no
MiNT Policy
- MINT-POLICY
  - mint-policy-commands
    - level
    - lsp
    - mtu
    - router
    - udp
    - no
Management Policy
- MANAGEMENT-POLICY
  - management-policy-commands
RADIUS Policy
- RADIUS-POLICY
  - radius-group
    - guest
    - policy
    - rate-limit
    - no
  - radius-server-policy
    - authentication
    - bypass
    - chase-referral
    - crl-check
    - ldap-agent
    - ldap-group-verification
    - ldap-server
    - local
    - nas
    - proxy
    - session-resumption
    - termination
    - use
    - no
  - radius-user-pool-policy
    - duration
    - user
    - no
Radio QoS Policy
- RADIO-QOS-POLICY
  - radio-qos-policy-commands
Role Policy
- ROLE-POLICY
  - role-policy-commands
Smart-RF Policy
- SMART-RF-POLICY
  - smart-rf-policy commands
WIPS Policy
- WIPS-POLICY
  - wips-policy-commands
WLAN QoS Policy
- WLAN-QOS-POLICY
  - WLAN-QOS-Policy commands
L2TPv3 Policy
- L2TPV3-POLICY
Router Mode Commands
- ROUTER-MODE
  - router-mode-commands
Routing Policy
- ROUTING-POLICY
  - routing-policy-commands
AAA_TACACS Policy
- AAA-TACACS-POLICY
  - aaa-tacacs-policy-commands
Meshpoint Policy
- MESHPOINT
Passpoint Policy
- PASSPOINT POLICY
  - passpoint-policy
Crypto-CMP Policy
- CRYPTO-CMP-POLICY
  - crypto-cmp-policy-instance
  - other-cmp-related-commands
    - use (other-cmp-related-commands)
    - show (other-cmp-related-commands)
Roaming-Assist Policy
- ROAMING ASSIST POLICY
  - roaming-assist-policy commands
Border Gateway Policy
- BORDER GATEWAY PROTOCOL
Controller Managed WLAN Use Case
- CREATING A FIRST CONTROLLER MANAGED WLAN

protected-mgmt-frames

Configures the WLAN's frame protection mode and security association (SA) query parameters

802.11w provides protection for both unicast management frames and broadcast/multicast management frames. The ‘robust management frames‘ are action, disassociation, and de-authentication frames. The standard provides one security protocol CCMP for protection of unicast robust management frames. The Protected management frames (PMF) protocol only applies to robust management frames after establishment of RSNA PTK. Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks.

Supported in the following platforms:

Access Points — AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8163, AP8432, AP8533
Wireless Controller — RFS4010
Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]

Parameters

protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]

protected-mgmt-frames	Enables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frames are continually or optionally protected. Frame protection mode is disabled by default.
mandatory	Enforces PMF on this WLAN (management frames are continually optionally protected)
optional	Provides PMF only for those clients that support PMF (management frames are optionally protected)
sa-query [attempts <1-10>\| timeout <100-1000>]	Configures the following SA parameters: attempts <1-10> – Configures the number of SA query attempts from 1 - 10. The default is 5. timeout <100-1000> – Configures the interval, in milliseconds, used to timeout association requests that exceed the defined interval. Specify a value from 100 - 1000 milliseconds. The default value is 201 milliseconds.

Examples

nx9500-6C8809(config-wlan-test)#protected-mgmt-frames mandatory

nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid test
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#

Related Commands

no (wlan-config-mode)

Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively.

Published June 2019prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback