Configures the WLAN's frame protection mode and security association (SA) query parameters

802.11w provides protection for both unicast management frames and broadcast/multicast management frames. The ‘robust management frames‘ are action, disassociation, and de-authentication frames. The standard provides one security protocol CCMP for protection of unicast robust management frames. The Protected management frames (PMF) protocol only applies to robust management frames after establishment of Robust Security Network association Pairwise Transient Key (RSNA PTK). Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]


protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]
protected-mgmt-frames Enables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frame protection is mandatory or optional.
Note: Frame protection mode is disabled by default.
mandatory Enforces PMF on this WLAN (management frames are always protected).
Note: This option does not allow non-PMF capable clients to associate.
optional Provides PMF only for those clients that support PMF (that is, management frame protection is optional).
Note: This option allows both PMF-capable and non-PMF capable wireless clients to associate. However, only the management frames of PMF-capable clients is protected.
sa-query [attempts <1-10>| timeout <100-1000>] Configures the following SA parameters:
  • attempts <1-10> – Configures the number of SA query attempts from 1 - 10. The default is 5.
  • timeout <100-1000> – Configures the interval, in milliseconds, used to timeout association requests that exceed the defined interval. Specify a value from 100 - 1000 milliseconds. The default value is 201 milliseconds.


nx9500-6C8809(config-wlan-test)#protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid test
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 protected-mgmt-frames mandatory

Related Commands

no (wlan-config-mode) Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively.