protected-mgmt-frames

Configures the WLAN's frame protection mode and SA (security association) query parameters

802.11w provides protection for both unicast management frames and broadcast/multicast management frames. The ‘robust management frames‘ are action, disassociation, and de-authentication frames. The standard provides one security protocol CCMP for protection of unicast robust management frames. The PMF (Protected management frames) protocol only applies to robust management frames after establishment of RSNA PTK (Robust Security Network association Pairwise Transient Key). Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks.

Supported on the following devices:

Access Points: AP3000/X, AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]

Parameters

protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-1000>]


protected-mgmt-frames	Enables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frames are continually or optionally protected. Frame protection mode is disabled by default.
mandatory	Enforces PMF on this WLAN (management frames are continually optionally protected)
optional	Provides PMF only for those clients that support PMF (management frames are optionally protected)
sa-query [attempts <1-10>\| timeout <100-1000>]	Configures the following SA parameters: attempts <1-10> – Configures the number of SA query attempts from 1 - 10. The default is 5. timeout <100-1000> – Configures the interval, in milliseconds, used to timeout association requests that exceed the defined interval. Specify a value from 100 - 1000 milliseconds. The default value is 201 milliseconds.

Examples

nx9500-6C8809(config-wlan-test)#protected-mgmt-frames mandatory

nx9500-6C8809(config-wlan-test)#show context
wlan test
 ssid test
 bridging-mode tunnel
 encryption-type none
 authentication-type none
 protected-mgmt-frames mandatory
nx9500-6C8809(config-wlan-test)#

Related Commands


no (wlan-config-mode)	Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively.