Configuring Management Frame Protection - Cisco SD2008T-NA Configuration Manual

Chapter 5 Configuring Security Solutions
To apply an ACL to the data path, enter this command:
Step 5
config acl apply acl_name
To create a new ACL that restricts the type of traffic (wired, wireless, or both) reaching the controller
Step 6
CPU, enter this command:
config acl cpu acl_name {wired | wireless | both}
To see the ACL that is configured on the controller CPU, enter this command:
Step 7
show acl cpu
To apply an ACL to a management, AP-manager, or dynamic interface, enter this command:
Step 8
config interface acl {management | ap-manager | dynamic_interface_name} acl_name
See
To apply a preauthentication ACL to a WLAN for an external web server, enter this command:
Step 9
config wlan security web-auth acl wlan_id acl_name
See
To save your settings, enter this command:
Step 10
save config
To delete an ACL, enter config acl delete acl_name. To delete an ACL rule, enter config acl rule delete
Note
acl_name rule_index.

Configuring Management Frame Protection

Management frame protection (MFP) provides for the authentication of 802.11 management frames by
the wireless network infrastructure. Management frames can be protected in order to detect adversaries
that are invoking denial-of-service attacks, flooding the network with associations and probes,
interjecting as rogue access points, and affecting network performance by attacking the QoS and radio
measurement frames. MFP also provides a quick and effective means to detect and report phishing
incidents.
MFP performs three main functions:
•
•
OL-9141-03
Chapter 3 for more information on configuring controller interfaces.
Chapter 6 for more information on configuring WLANs.
Management frame protection—When management frame protection is enabled, the access point
protects the management frames it transmits by adding a message integrity check information
element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC,
causing any receiving access point configured to detect MFP frames to report the discrepancy.
Management frame validation—When management frame validation is enabled, the access point
validates every management frame that it receives from other access points in the network. It ensures
that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches
the content of the management frame. If it receives any frame that does not contain a valid MIC IE
from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the
discrepancy to the network management system. In order for the timestamps to operate properly, all
controllers must be Network Transfer Protocol (NTP) synchronized.
Configuring Management Frame Protection
Cisco Wireless LAN Controller Configuration Guide
5-13