beautypg.com

Protection of broadcast management frames, Client mfp for access points in root mode, Configuring client mfp – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual

Page 398

background image

398

Rockwell Automation Publication 1783-UM006A-EN-P - May 2014

Chapter 13

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Protection of Broadcast Management Frames

To prevent attacks by using broadcast frames, access points supporting CCXv5
don’t emit any broadcast class 3 management frames. An access point in
workgroup bridge, repeater, or non-root bridge mode discards broadcast class 3
management frames if Client MFP is enabled. Client MFP is enabled only for
autonomous access points if the encryption is AES-CCMP or TKIP and key
management WPA version 2.

Client MFP for Access Points
in Root Mode

Autonomous access points in root mode support mixed mode clients. Clients
capable of CCXv5 with negotiated cipher suite AES or TKIP with WPAv2 are
Client MFP enabled. Client MFP is disabled for clients that are not CCXv5
capable. By default, Client MFP is optional for a particular SSID on the access
point, and can be enabled or disabled by using CLI in SSID configuration mode.

Client MFP can be configured as either required or optional for a particular
SSID. To configure Client MFP as required, you must configure the SSID with
key management WPA version 2 mandatory. If the key management is not
WPAv2 mandatory, an error message is displayed and your CLI command is
rejected. If you attempt to change the key management with Client MFP
configured as required and key management WPAv2, an error message appears
and rejects your CLI command. When configured as optional, Client MFP is
enabled if the SSID is capable of WPAv2, otherwise Client MFP is disabled.

Configuring Client MFP

The following CLI commands are used to configure Client MFP for access
points in root mode.

ids mfp client required

This SSID configuration command enables Client MFP as required on a
particular SSID. The Dot11Radio interface is reset when the command is
executed if the SSID is bound to the Dot11Radio interface. The command also
expects that the SSID is configured with WPA version 2 mandatory. If the SSID
is not configured with WPAv2 mandatory, an error message appears and the
command is rejected.

no ids mfp client

This ssid configuration command disables Client MFP on a particular SSID. The
Dot11Radio interface is reset when the command is executed if the SSID is
bound to the Dot11Radio interface.

ids mfp client optional