Cisco Systems IOS Releases 15.2(4)JA Universal Remote User Manual


 
12-27
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Configuring Management Frame Protection
rejected. If you attempt to change the key management with Client MFP configured as required and key
management WPAv2, an error message displays and rejects your CLI command. When configured as
optional, Client MFP is enabled if the SSID is capable of WPAv2, otherwise Client MFP is disabled.
Configuring Client MFP
The following CLI commands are used to configure Client MFP for access points in root mode.
ids mfp client required
This SSID configuration command enables Client MFP as required on a particular SSID. The
Dot11Radio interface is reset when the command is executed if the SSID is bound to the Dot11Radio
interface. The command also expects that the SSID is configured with WPA Version 2 mandatory. If the
SSID is not configured with WPAv2 mandatory, an error message displays and the command is rejected.
no ids mfp client
This ssid configuration command disables Client MFP on a particular SSID. The Dot11Radio interface
is reset when the command is executed if the SSID is bound to the Dot11Radio interface.
ids mfp client optional
This ssid configuration command enables Client MFP as optional on a particular SSID. The Dot11Radio
interface is reset when the command is executed if the SSID is bound to the Dot11Radio interface. Client
MFP is enabled for this particular SSID if the SSID is WPAv2 capable, otherwise Client MFP is disabled.
show dot11 ids mfp client statistics
Use this command to display Client MFP statistics on the access point console for a Dot11Radio
interface.
clear dot11 ids mfp client statistics
Use this command to clear the Client MFP statistics.
authentication key management wpa version {1|2}
Use this command to explicitly specify which WPA Version to use for WPA key management for a
particular SSID.
Command Description
Step 1
configure terminal Enter global configuration mode.
Step 2
dot11 ids mfp generator Configures the access point as an MFP generator. When enabled,
the access point protects the management frames it transmits by
adding a message integrity check information element (MIC IE)
to each frame. Any attempt to copy, alter, or replay the frame will
invalidate the MIC, causing any receiving access point that is
configured to detect (validate) MFP frames to report the
discrepancy. The access point must be a member of a WDS.
Step 3
dot11 ids mfp detector Configures the access point as an MFP detector. When enabled,
the access point validates management frames it receives from
other access points. If it receives any frame that does not contain
a valid, and expected, MIC IE, it will report the discrepancy to the
WDS. The access point must be a member of a WDS.
Step 4
sntp server server IP address Enter the name or ip address of the SNTP server.