The IEEE 802.11w Protected management frames (PMF) standard provides protection for the following robust management frame types: de-authentication, disassociation, action and channel switch announcement unicast frames forwarded to a client. Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks.
protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]
protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]
| protected-mgmt-frames | Enables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frame protection is mandatory or optional. |
| mandatory | Enforces PMF on this WLAN (management frames are always protected). This option
requires clients to negotiate PMF when joining a WLAN. Note: This option does not allow non-PMF
capable clients to associate.
|
| optional | Provides PMF only for PMF-capable clients (that is, management frame protection
is optional). Note: This option
allows both PMF-capable and non-PMF capable wireless clients to associate.
However, only the management frames of PMF-capable clients is
protected.
Note: This is the default setting. By default, PMF is
enabled and set to the 'optional' mode.
|
| sa-query [attempts <1-10>| timeout <100-1000>] | Configures the following SA parameters:
|
nx9500-6C8809(config-wlan-test)#protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none protected-mgmt-frames mandatory nx9500-6C8809(config-wlan-test)#
| no (wlan-config-mode) | Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively. |