Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco
software image support. To access Cisco Feature Navigator, go to
http://www.cisco.com/go/cfn. An account on Cisco.com is not
Prerequisites for 802.11w
To configure 802.11w feature for optional and mandatory, you must have WPA and AKM configured.
The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.
To configure 802.11w as mandatory, you must enable PMF AKM in addition to WPA AKM.
Wi-Fi is a
broadcast medium that enables any device to eavesdrop and
participate either as a legitimate or rogue device. Control and management frames such as authentication/deauthentication, association/disassociation, beacons, and probes are used by wireless clients to select an AP and to initiate a session for network services.
Unlike data traffic which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, an attacker could spoof management frames from an AP to tear down a session between a client and AP.
The 802.11w protocol applies only to a set of robust management frames that are protected by the Management Frame Protection (PMF) service. These include Disassociation, Deauthentication, and Robust Action frames.
Management frames that are considered as robust action and therefore protected are the following:
When 802.11w is implemented in the wireless medium, the following occur:
Client protection is added by the AP adding cryptographic protection (by including the MIC information element) to deauthentication and disassociation frames preventing them from being spoofed in a DOS attack.
Infrastructure protection is added by adding a Security Association (SA) teardown protection mechanism consisting of an Association Comeback Time and an SA-Query procedure preventing spoofed association request from disconnecting an already connected client.
Disables PMF on the WLAN. The following attributes are available:
association-comeback—Disables the 802.11w association comeback time.
mandatory—Disables clients to negotiate 802.11w PMF protection on a WLAN.
optional—Disables 802.11w PMF protection on a WLAN.
saquery—Time interval identified in the association response to an already associated client before the association can be tried again. This time interval checks if the client is a real client and not a rogue client during the association comeback time. If the client does not respond within this time, the client association is deleted from the switch
The range is from 100 to 500 ms. The value must be specified in multiples of 100 milliseconds.
Restart the WLAN for the changes to take effect.
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-z to exit global configuration mode.
The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.
To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.