5-13
Cisco Wireless LAN Controller Configuration Guide
OL-9141-03
Chapter 5 Configuring Security Solutions
Configuring Management Frame Protection
Step 5 To apply an ACL to the data path, enter this command:
config acl apply acl_name
Step 6 To create a new ACL that restricts the type of traffic (wired, wireless, or both) reaching the controller
CPU, enter this command:
config acl cpu acl_name {wired | wireless | both}
Step 7 To see the ACL that is configured on the controller CPU, enter this command:
show acl cpu
Step 8 To apply an ACL to a management, AP-manager, or dynamic interface, enter this command:
config interface acl {management | ap-manager | dynamic_interface_name} acl_name
See Chapter 3 for more information on configuring controller interfaces.
Step 9 To apply a preauthentication ACL to a WLAN for an external web server, enter this command:
config wlan security web-auth acl wlan_id acl_name
See Chapter 6 for more information on configuring WLANs.
Step 10 To save your settings, enter this command:
save config
Note To delete an ACL, enter config acl delete acl_name. To delete an ACL rule, enter config acl rule delete
acl_name rule_index.
Configuring Management Frame Protection
Management frame protection (MFP) provides for the authentication of 802.11 management frames by
the wireless network infrastructure. Management frames can be protected in order to detect adversaries
that are invoking denial-of-service attacks, flooding the network with associations and probes,
interjecting as rogue access points, and affecting network performance by attacking the QoS and radio
measurement frames. MFP also provides a quick and effective means to detect and report phishing
incidents.
MFP performs three main functions:
• Management frame protection—When management frame protection is enabled, the access point
protects the management frames it transmits by adding a message integrity check information
element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC,
causing any receiving access point configured to detect MFP frames to report the discrepancy.
• Management frame validation—When management frame validation is enabled, the access point
validates every management frame that it receives from other access points in the network. It ensures
that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches
the content of the management frame. If it receives any frame that does not contain a valid MIC IE
from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the
discrepancy to the network management system. In order for the timestamps to operate properly, all
controllers must be Network Transfer Protocol (NTP) synchronized.
To Next Page
Loading...
Need help?
General
