Cisco Systems 15.2(2)JA Universal Remote User Manual


 
12-7
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Configuring WDS
access points. The WLSE examines the BRIDGE MIB of each CDP-discovered switch to determine
if they contain any of the target MAC addresses. If CDP finds any of the MAC addresses, WLSE
suppresses the corresponding switch port number.
Excessive management frame detection—Excessive management frames indicate an attack on your
wireless LAN. An attacker might carry out a denial-of-service attack by injecting excessive
management frames over the radio to overwhelm access points which have to process the frames.
As part of the WIDS feature set, access points in scanning mode and root access points monitor radio
signals and detect excessive management frames. When they detect excessive management frames,
the access points generate a fault and send it through the WDS to the WLSE.
Authentication/protection failure detection—Authentication/protection failure detection looks for
attackers who are either trying to overcome the initial authentication phase on a wireless LAN or to
compromise the ongoing link protection. These detection mechanisms address specific
authentication attacks:
EAPOL flood detection
MIC/encryption failures detection
MAC spoofing detection
Frame capture mode—In frame capture mode, a scanner access point collects 802.11 frames and
forwards them to the address of a WIDS engine on your network.
Note See the “Configuring Access Points to Participate in WIDS” section on page 12-32 for
instructions on configuring the access point to participate in WIDS and Configuring
Management Frame Protection, page 12-25 for instructions on configuring the access point for
MFP.
802.11 Management Frame Protection (MFP)—Wireless is an inherently broadcast medium
enabling any device to eavesdrop and participate either as a legitimate or rogue device. Since control
and management frames are used by client stations to select and initiate a session with an AP, these
frames must be open. While management frames cannot be encrypted, they must be protected from
forgery. MFP is a means by which the 802.11 management frames can be integrity protected.
Note MFP requires WLSE for reporting intrusion events.
Note MFP is available only on 32 Mb platforms: 1040, 1130, 1140, 1240, 1250, and 1260 series
access points, and 1300 series access points in AP mode.
Configuring WDS
This section describes how to configure WDS on your network. This section contains these sections:
Guidelines for WDS, page 12-8
Requirements for WDS, page 12-8
Configuration Overview, page 12-8
Configuring Access Points as Potential WDS Devices, page 12-9
Configuring Access Points to use the WDS Device, page 12-14