The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

Similar documents
Configuring WLAN Security

Configuring Layer2 Security

Configuring r BSS Fast Transition

Configuring Access Point Groups

Configuring Access Point Groups

Configuring Aggressive Load Balancing

Configuring Local Authentication and Authorization

Configuring Secure Shell (SSH)

Configuring EEE. Finding Feature Information. Information About EEE. EEE Overview

Configuring DHCP for WLANs

RADIUS Route Download

Configuring Local Policies

Configuring the Cisco Discovery Protocol

Configuring Administrator Usernames and Passwords

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Classifying Rogue Access Points

Configuring Secure Shell (SSH)

Configuring Location Settings

Configuring Ethernet Management Port

Predownloading an Image to Access Points

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Classifying Rogue Access Points

Password Strength and Management for Common Criteria

Configuring System MTU

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

SSH Algorithms for Common Criteria Certification

Managing Rogue Devices

Configuring parameters and Band Selection

Configuring Control Plane Policing

Configuring Secure Socket Layer HTTP

AAA Dead-Server Detection

Encrypted Vendor-Specific Attributes

Controlling Switch Access with Passwords and Privilege Levels

802.1P CoS Bit Set for PPP and PPPoE Control Frames

Configuring parameters and Band Selection

Configuring Client Roaming

Configuring a WLAN for Static WEP

Configuring Client Roaming

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Configuring Internal Power Supplies

Configuring Embedded Resource Manager-MIB

Contextual Configuration Diff Utility

Configuring Online Diagnostics

Configuring SSM. Finding Feature Information. Prerequisites for Configuring SSM

Configuring the Service Discovery Gateway

Configuring System MTU

Controlling Switch Access with Passwords and Privilege Levels

Configuring Management Frame Protection

Configuring Port-Based Traffic Control

Configuring VLANs. Finding Feature Information. Prerequisites for VLANs

Configuring Voice and Video Parameters

802.11r Fast Transition Roaming

Cisco IOS Login Enhancements-Login Block

Configuring Ethernet Management Ports

NBAR2 HTTP-Based Visibility Dashboard

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

Configuring Cache Services Using the Web Cache Communication Protocol

Wireless KRACK attack client side workaround and detection

Dynamic Bandwidth Sharing

Configuring DHCP Option 60 and Option 82 with VPN-ID Support for Transparent Automatic Logon

DHCP Server RADIUS Proxy

Encrypted Vendor-Specific Attributes

PPPoE Smart Server Selection

Exclusive Configuration Change Access and Access Session Locking

PPPoE Smart Server Selection

Configuring a Basic Wireless LAN Connection

Securing a Wireless LAN

SIP ALG Resilience to DoS Attacks

HTTPS--HTTP Server and Client with SSL 3.0

Configuring DHCP Services for Accounting and Security

Configuration Replace and Configuration Rollback

Switches running the LAN Base feature set support only static routing on SVIs.

Configuring SDM Templates

Configuring Multicast VLAN Registration

Exclusive Configuration Change Access and Access Session Locking

IEEE 802.1X RADIUS Accounting

Configuring PoE. Finding Feature Information. Restrictions for PoE

Configuring LLDP, LLDP-MED, and Wired Location Service

8K GM Scale Improvement

Bulk Logging and Port Block Allocation

RADIUS Packet of Disconnect

Multicast Subsecond Convergence

HTTPS--HTTP Server and Client with SSL 3.0

Flow-Based per Port-Channel Load Balancing

Configuring ISG Policies for Automatic Subscriber Logon

RADIUS Tunnel Attribute Extensions

Link Aggregation Control Protocol (IEEE 802.3ad) Support for Cisco ubr10012 Routers

IP Overlapping Address Pools

Basic IGMP v3 snooping support (BISS) is supported. Bridge domain (BD) interfaces from 1 to 4094 support IGMP snooping.

Multicast Subsecond Convergence

Configuring EEE. Finding Feature Information. Restrictions for EEE

IPsec NAT Transparency

Contextual Configuration Diff Utility

Object Tracking: IPv6 Route Tracking

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Clock Recovery System

Configuring Ethernet Management Ports

Configuring Authentication Types

Transcription:

Finding Feature Information, page 1 Prerequisites for 802.11w, page 1 Restrictions for 802.11w, page 2 Information About 802.11w, page 2 How to Configure 802.11w, page 3 Disabling 802.11w (CLI), page 5 Monitoring 802.11w (CLI), page 6 Additional References for 802.11w, page 7 Feature Information for 802.11w, page 8 Finding Feature Information Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for 802.11w To configure 802.11w feature for optional and mandatory, you must have WPA and AKM configured. Note The RNS (Robust Secure Network) IE must be enabled with an AES Cipher. To configure 802.11w as mandatory, you must enable PMF AKM in addition to WPA AKM. OL-27617-02 1

Restrictions for 802.11w (CLI), on page 3 Disabling 802.11w (CLI), on page 5 Information About 802.11w, on page 2 Restrictions for 802.11w 802.11w cannot be applied on an open WLAN, WEP-encrypted WLAN, or a TKIP-encrypted WLAN. The WLAN on which 802.11w is configured must have either WPA2-PSK or WPA2-802.1x security configured. (CLI), on page 3 Disabling 802.11w (CLI), on page 5 Information About 802.11w, on page 2 Information About 802.11w Wi-Fi is a broadcast medium that enables any device to eavesdrop and participate either as a legitimate or rogue device. Control and management frames such as authentication/deauthentication, association/disassociation, beacons, and probes are used by wireless clients to select an AP and to initiate a session for network services. Unlike data traffic which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, an attacker could spoof management frames from an AP to tear down a session between a client and AP. The 802.11w protocol applies only to a set of robust management frames that are protected by the Management Frame Protection (PMF) service. These include Disassociation, Deauthentication, and Robust Action frames. Management frames that are considered as robust action and therefore protected are the following: Spectrum Management QoS Block Ack SA Query Vendor-specific Protected When 802.11w is implemented in the wireless medium, the following occur: Client protection is added by the AP adding cryptographic protection (by including the MIC information element) to deauthentication and disassociation frames preventing them from being spoofed in a DOS attack. 2 OL-27617-02

How to Configure 802.11w Infrastructure protection is added by adding a Security Association (SA) teardown protection mechanism consisting of an Association Comeback Time and an SA-Query procedure preventing spoofed association request from disconnecting an already connected client. (CLI), on page 3 Disabling 802.11w (CLI), on page 5 Prerequisites for 802.11w, on page 1 Restrictions for 802.11w, on page 2 Monitoring 802.11w (CLI), on page 6 How to Configure 802.11w (CLI) Before You Begin WPA and AKM must be configured. SUMMARY STEPS 1. configure terminal 2. wlan profile-name 3. shutdown 4. security pmf {association-check association-comeback-time-in-seconds mandatory optional saquery saquery-time-in-milliseconds} 5. no shutdown 6. end DETAILED STEPS Step 1 Command or Action configure terminal Purpose Enters global configuration mode. Step 2 Controller# configure terminal wlan profile-name Controller# wlan test4 Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN. OL-27617-02 3

(CLI) Step 3 Command or Action shutdown Purpose Shutdown the WLAN before configuring the PMF. Step 4 Controller shutdown security pmf {association-check association-comeback-time-in-seconds mandatory optional saquery saquery-time-in-milliseconds} Controller(config-wlan)# security pmf saquery-retry-time 200 Configures the PMF parameters with the following options: association-comeback Configures the 802.11w association comeback time. The range is from 1 to 20 seconds. mandatory Requires clients to negotiate 802.11w PMF protection on a WLAN. optional Enables 802.11w PMF protection on a WLAN. saquery Time interval identified in milliseconds before which the SA query response is expected. If the controller does not get a response, another SQ query is tried. The range is from 100 to 500 ms. The value must be specified in multiples of 100 milliseconds. Step 5 no shutdown Restart the WLAN for the changes to take effect. Step 6 Controller no shutdown end Controller(config-wlan)# end Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode. Information About 802.11w, on page 2 Prerequisites for 802.11w, on page 1 Restrictions for 802.11w, on page 2 Monitoring 802.11w (CLI), on page 6 4 OL-27617-02

Disabling 802.11w (CLI) Disabling 802.11w (CLI) SUMMARY STEPS 1. configure terminal 2. wlan profile-name 3. shutdown 4. no security pmf [association-comeback association-check-comback-interval-seconds mandatory optional saquery saquery-time-interval-milliseconds] 5. no shutdown 6. end DETAILED STEPS Step 1 Command or Action configure terminal Purpose Enters global configuration mode. Step 2 Step 3 Controller# configure terminal wlan profile-name Controller# wlan test4 shutdown Enters the WLAN configuration submode. The profile-name is the profile name of the configured WLAN. Shutdown the WLAN before configuring the PMF. Step 4 Controller shutdown no security pmf [association-comeback association-check-comback-interval-seconds mandatory optional saquery saquery-time-interval-milliseconds] Controller(config-wlan)# no security pmf Disables PMF on the WLAN. The following attributes are available: association-comeback Disables the 802.11w association comeback time. mandatory Disables clients to negotiate 802.11w PMF protection on a WLAN. optional Disables 802.11w PMF protection on a WLAN. saquery Time interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the controller The range is from 100 to 500 ms. The value must be specified in multiples of 100 milliseconds. OL-27617-02 5

Monitoring 802.11w (CLI) Step 5 Command or Action no shutdown Purpose Restart the WLAN for the changes to take effect. Step 6 Controller no shutdown end Controller(config-wlan)# end Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode. Information About 802.11w, on page 2 Prerequisites for 802.11w, on page 1 Restrictions for 802.11w, on page 2 Monitoring 802.11w (CLI), on page 6 Monitoring 802.11w (CLI) The following command can be used to monitor 802.11w: 6 OL-27617-02

Additional References for 802.11w Command show wlan name wlan-profile-name Description Displays the WLAN parameters on the WLAN. The PMF parameters are displayed. Here is an example:........ Auth Key Management 802.1x : PSK : Enabled CCKM : FT dot1x : FT PSK : PMF dot1x : PMF PSK : Enabled FT Support : FT Reassociation Timeout : 20 FT Over-The-DS mode : PMF Support : Required PMF Association Comeback Timeout : 9 PMF SA Query Time : 200........ (CLI), on page 3 Disabling 802.11w (CLI), on page 5 Information About 802.11w, on page 2 Additional References for 802.11w Related Documents Related Topic WLAN Command Reference WLAN Security Document Title WLAN Command Reference, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series) Configuring WLAN Security chapter in this book. OL-27617-02 7

Feature Information for 802.11w Error Message Decoder Description To help you research and resolve system error messages in this release, use the Error Message Decoder tool. Link https://www.cisco.com/cgi-bin/support/errordecoder/ index.cgi Standards and RFCs Standard/RFC 802.11w Title IEEE 802.11w Protected Management Frames MIBs MIB All supported MIBs for this release. MIBs Link To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Technical Assistance Description The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Link http://www.cisco.com/support Feature Information for 802.11w This table lists the features in this module and provides links to specific configuration information: 8 OL-27617-02

Feature Information for 802.11w Feature Name 802.11w Release Cisco IOS XE 3.3SE Feature Information This feature was introduced. OL-27617-02 9

Feature Information for 802.11w 10 OL-27617-02

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback