12-25
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Configuring Management Frame Protection
Step 4 Click the over-air or over-ds radio button.
Step 5 Enter the reassociation time.
The values range from 20 to 1200.
Step 6 Click Apply.
Beginning in privileged EXEC mode, perform these steps to configure SSH using the access point CLI:
Configuring Management Frame Protection
Management Frame Protection operation requires a WDS and is available on 32 Mb platforms only (s:
1130 and 1240 series access points, and 1300 series access points in AP mode.). MFP is configured at
the WLSE, but you can configure MFP on an access point and WDS manually.
Note If a WLSE is not present, then MFP cannot report detected intrusions and so has limited effectiveness.
If a WLSE is present, you should perform the configuration from the WLSE.
For complete protection, you should also configure an MFP access point for Simple Network Transfer
Protocol (SNTP).
Management Frame Protection
Management Frame Protection provides security features for the management messages passed between
Access Point and Client stations. MFP consists of two functional components: Infrastructure MFP and
Client MFP.
Infrastructure MFP provides Infrastructure support. Infrastructure MFP utilizes a message integrity
check (MIC) across broadcast and directed management frames which can assist in detection of rogue
devices and denial of service attacks. Client MFP provides client support. Client MFP protects
authenticated clients from spoofed frames, by preventing many of the common attacks against WLANs
from becoming effective.
Command Purpose
Step 1
configure terminal Enters the global configuration mode.
Step 2
dot11 ssid <ssid> Configures the SSID.
Step 3
authentication key-management
wpa version 2 dot11r
Configures 802.11r on an access point.
Step 4
interface dot11radio {0 | 1} Enters interface configuration mode for the radio interface. The
2.4-GHz radio is radio 0, and the 5-GHz radio is radio 1.
Step 5
dot11 dot11r pre-authentication Enables or disables the over-air or over-ds transition.
Step 6
dot11 dot11r re-association timer
<value>
Configures the reassociation timer.
Step 7
debug dot11 ft Debugs the 802.11r Fast BSS Transition.
Step 8
debug dot11 ft-scan Debugs the 802.11r Fast BSS Transition scan.