Protection of broadcast management frames, Client mfp for access points in root mode, Configuring client mfp – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual
Page 398
398
Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
Chapter 13
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Protection of Broadcast Management Frames
To prevent attacks by using broadcast frames, access points supporting CCXv5
don’t emit any broadcast class 3 management frames. An access point in
workgroup bridge, repeater, or non-root bridge mode discards broadcast class 3
management frames if Client MFP is enabled. Client MFP is enabled only for
autonomous access points if the encryption is AES-CCMP or TKIP and key
management WPA version 2.
Client MFP for Access Points
in Root Mode
Autonomous access points in root mode support mixed mode clients. Clients
capable of CCXv5 with negotiated cipher suite AES or TKIP with WPAv2 are
Client MFP enabled. Client MFP is disabled for clients that are not CCXv5
capable. By default, Client MFP is optional for a particular SSID on the access
point, and can be enabled or disabled by using CLI in SSID configuration mode.
Client MFP can be configured as either required or optional for a particular
SSID. To configure Client MFP as required, you must configure the SSID with
key management WPA version 2 mandatory. If the key management is not
WPAv2 mandatory, an error message is displayed and your CLI command is
rejected. If you attempt to change the key management with Client MFP
configured as required and key management WPAv2, an error message appears
and rejects your CLI command. When configured as optional, Client MFP is
enabled if the SSID is capable of WPAv2, otherwise Client MFP is disabled.
Configuring Client MFP
The following CLI commands are used to configure Client MFP for access
points in root mode.
ids mfp client required
This SSID configuration command enables Client MFP as required on a
particular SSID. The Dot11Radio interface is reset when the command is
executed if the SSID is bound to the Dot11Radio interface. The command also
expects that the SSID is configured with WPA version 2 mandatory. If the SSID
is not configured with WPAv2 mandatory, an error message appears and the
command is rejected.
no ids mfp client
This ssid configuration command disables Client MFP on a particular SSID. The
Dot11Radio interface is reset when the command is executed if the SSID is
bound to the Dot11Radio interface.
ids mfp client optional