protected-mgmt-frames
Configures the WLAN's frame protection
mode and
security association (SA) query parameters
802.11w provides protection
for both unicast management frames and broadcast/multicast management frames. The ‘robust
management frames‘ are action, disassociation, and de-authentication frames. The standard
provides one security protocol CCMP for protection of unicast robust management frames. The
Protected management frames (PMF) protocol only applies to robust management
frames after establishment of Robust Security Network association Pairwise Transient
Key (RSNA PTK). Robust management frame protection is achieved by using CCMP for
unicast management frames, broadcast/multicast integrity protocol for broadcast/multicast
management frames and SA query protocol for protection against (re)association
attacks.
Supported in the following platforms:
- Access Points — AP505i, AP510i/e,
AP560i/h
- Service Platforms
— NX5500, NX7500, NX9500, NX9600, VX9000
Syntax
protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]
Parameters
protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]
protected-mgmt-frames |
Enables and configures WLAN's frame protection mode and SA query parameters.
Use this command to specify whether management frame protection is mandatory or
optional. Note: Frame protection mode is disabled by default.
|
mandatory |
Enforces PMF on this WLAN (management frames are always protected). Note: This
option does not allow non-PMF capable clients to associate.
|
optional |
Provides PMF only for those clients that support PMF (that is, management frame
protection is optional). Note: This option allows both PMF-capable and non-PMF
capable wireless clients to associate. However, only the management frames of
PMF-capable clients is protected.
|
sa-query [attempts <1-10>| timeout
<100-1000>] |
Configures the following SA parameters:
- attempts <1-10> – Configures the number of SA query attempts from 1 - 10.
The default is 5.
- timeout <100-1000> – Configures the interval, in milliseconds, used to
timeout association requests that exceed the defined interval. Specify a value
from 100 - 1000 milliseconds. The default value is 201 milliseconds.
|
|
Examples
nx9500-6C8809(config-wlan-test)#protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#show context
wlan test
ssid test
bridging-mode tunnel
encryption-type none
authentication-type none
protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#
Related Commands
no (wlan-config-mode) |
Disables enforcement of protected management frames on this WLAN. And reverts
protected management frames sa-query timeout and attempts to 201 milliseconds and 5
respectively. |
|