So, if you think its set up and its not working...REBOOT!
Showing posts with label Autonomous. Show all posts
Showing posts with label Autonomous. Show all posts
Friday, 8 April 2011
Reboot your Autonomous AP's !
I spent the best part of an hour today trying to work out why a bridge link would not pass traffic. The config was right. I did a reboot, and it all started working.
So, if you think its set up and its not working...REBOOT!
So, if you think its set up and its not working...REBOOT!
Wednesday, 30 March 2011
Working with the WCS FTP Server
The details for the FTP server on the WCS are...
User: ftp-user
Password: (wcsrootpassword)
The format to download an IOS to an AAP is
archive download-sw /overwrite ftp://ftp-user:password@10.10.210.6/filename.tar
User: ftp-user
Password: (wcsrootpassword)
The format to download an IOS to an AAP is
archive download-sw /overwrite ftp://ftp-user:password@10.10.210.6/filename.tar
Wednesday, 9 March 2011
Open with EAP or Network EAP
Jermome did a real good blog on this, but to summarize
OPEN with EAP = Authentication bit set to 0. All EAP methods but LEAP require this.
Network EAP = Authentication bit set to 1. LEAP requires this.
Some Cisco clients such as AP's require both when using a EAP method other than LEAP. This is for legacy reasons.
As only CCX devices can use LEAP, setting the method to Network EAP will allow only CCX devices to connect.
OPEN with EAP = Authentication bit set to 0. All EAP methods but LEAP require this.
Network EAP = Authentication bit set to 1. LEAP requires this.
Some Cisco clients such as AP's require both when using a EAP method other than LEAP. This is for legacy reasons.
As only CCX devices can use LEAP, setting the method to Network EAP will allow only CCX devices to connect.
dot11 arp-cache
This is sometimes knows as "power save mode" and is the highest supported on the 7920 phone. It prevents the AP from forwarding arp requests to clients if it alreeady knows the client, thus saving the wake up time required on the client.
U-APSD is the highest level of power save on the 7921. Although dot11 arp cache should also be enabled.
dot11 arp-cache
Use the dot11 arp-cache global configuration command to enable client ARP caching on the access point. ARP caching on the access point reduces the traffic on your wireless LAN and increases client battery life by stopping ARP requests for client devices at the access point. Instead of forwarding ARP requests to client devices, the access point responds to requests on behalf of associated client devices and drops ARP requests that are not directed to clients associated to the access point. When ARP caching is optional, the access point responds on behalf of clients with IP addresses known to the access point but forwards through its radio port any ARP requests addressed to unknown clients. When the access point knows all the IP addresses for associated clients, it drops any ARP requests not directed to its clients. In its beacon, the access point includes an information element to alert client devices that they can safely ignore broadcast messages to increase battery life.
[no] dot11 arp-cache [optional]
Syntax Description
Defaults
ARP caching is disabled by default.
Command Modes
Global configuration
Command History
Examples
This example shows how to enable ARP caching:
AP(config)# dot11 arp-cache
Tuesday, 1 March 2011
Workgroup Bridge - Client VLAN
If you have to have clients on a specific VLAN on the WGB, (while still maintaining the desired native VLAN on the root AP) you can utilise the workgroup-bridge client-vlan command. From what I can see, you would need to change the BVI interface on the WGB to be in the client VLAN to manintain management of the WGB.
Root
!
dot11 ssid test
vlan 10
authentication open
!
interface Dot11Radio1
ssid test
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
infrastructure-client
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
!
interface Dot11Radio1.110
encapsulation dot1Q 110 native
bridge-group 1
!
interface FastEthernet0.10
encapsulation dot1Q 10
bridge-group 10
!
interface FastEthernet0.110
encapsulation dot1Q 110 native
bridge-group 1
WGB
dot11 ssid test
vlan 10
authentication open
!
interface Dot11Radio1
!
ssid test
!
station-role workgroup-bridge
!
interface Dot11Radio1.10
encapsulation dot1Q 10 native bridge-group 1
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
bridge-group 1
!
interface BVI1
ip address 10.10.10.60 255.255.255.0 no ip route-cache
!
workgroup-bridge client-vlan 10
Root
!
dot11 ssid test
vlan 10
authentication open
!
interface Dot11Radio1
ssid test
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
infrastructure-client
!
interface Dot11Radio1.10
encapsulation dot1Q 10
bridge-group 10
!
interface Dot11Radio1.110
encapsulation dot1Q 110 native
bridge-group 1
!
interface FastEthernet0.10
encapsulation dot1Q 10
bridge-group 10
!
interface FastEthernet0.110
encapsulation dot1Q 110 native
bridge-group 1
WGB
dot11 ssid test
vlan 10
authentication open
!
interface Dot11Radio1
!
ssid test
!
station-role workgroup-bridge
!
interface Dot11Radio1.10
encapsulation dot1Q 10 native bridge-group 1
!
interface FastEthernet0.10
encapsulation dot1Q 10 native
bridge-group 1
!
interface BVI1
ip address 10.10.10.60 255.255.255.0 no ip route-cache
!
workgroup-bridge client-vlan 10
Thursday, 10 February 2011
Autonomous QoS
If a CoS Value comes into the AP, that takes priority over all other QoS policies.
Then the dot11 phone setting is used to "identify" a phone and provide priority.
Then QoS policies are looked at.
For QBSS Draft 6 supported by the 7920, QoS Element for Wireless Phones to enable (no dot11e)
dot11 phone
For QBSS Draft 12 IEE802.11e supported by the 7921 also tick dot11e
dot11 phone dot11e
Enable WMM for the Vendor specific que values to be offered in the beacons (per radio) does not hurt to leave on in most cases unless they ask you to remove it
default
Enable Low latency where needed so that packets are dropped after certain level of discard. Not for 7921 due to its dynamic queing mechanism.
When optimising for 7921 phones, design guides state to match RTP and SCCP by DSCP and map to relevent cos (possibly not needed but hey!)
class-map match-all _class_RTP0
match ip dscp ef
class-map match-all _class_RTP1
match ip dscp cs3
policy-map RTP
class _class_RTP0
set cos 6
class _class_RTP1
set cos 4
interface Dot11Radio0.13
service-policy input RTP
service-policy output RTP
Also when optimising. Select Optimized for voice, but remove low latency queing from Stream as 7921 dont need it!
Then the dot11 phone setting is used to "identify" a phone and provide priority.
Then QoS policies are looked at.
For QBSS Draft 6 supported by the 7920, QoS Element for Wireless Phones to enable (no dot11e)
dot11 phone
For QBSS Draft 12 IEE802.11e supported by the 7921 also tick dot11e
dot11 phone dot11e
Enable WMM for the Vendor specific que values to be offered in the beacons (per radio) does not hurt to leave on in most cases unless they ask you to remove it
default
Enable Low latency where needed so that packets are dropped after certain level of discard. Not for 7921 due to its dynamic queing mechanism.
When optimising for 7921 phones, design guides state to match RTP and SCCP by DSCP and map to relevent cos (possibly not needed but hey!)
class-map match-all _class_RTP0
match ip dscp ef
class-map match-all _class_RTP1
match ip dscp cs3
policy-map RTP
class _class_RTP0
set cos 6
class _class_RTP1
set cos 4
interface Dot11Radio0.13
service-policy input RTP
service-policy output RTP
Also when optimising. Select Optimized for voice, but remove low latency queing from Stream as 7921 dont need it!
Wednesday, 9 February 2011
WDS and CCKM
A breakdown of the configuration required for WDS and a CCKM ssid. Scenario requires EAP-FAST for the WDS auth and LEAP for the client auth.
aaa authentication login eap_methods group rad_eap
(set up the auth method, can be the same as the client auth)
aaa group server radius rad_eap
server 10.10.110.103 auth-port 1812 acct-port 1813
(configure a radius group for local or ACS)
radius-server host 10.10.110.103 auth-port 1812 acct-port 1813 key 7 020F145E13160A3358
(define the radius server and key)
radius-server local
eapfast server-key primary auto
nas 10.10.110.103 key xxx
(nas only required on WDS AP, other AP's in the domain use WLCCP for client auth)
user wds pass xxx
(user for infrastructure auth)
user leap pass xxx
(user for client auth)
eap profile FAST
method fast
wlccp ap username wds password xxx
(to join the AP to the WDS, also needs to be done on domain AP's)
wlccp ap eap profile FAST
(this is required to specify EAP-FAST as the infrastructure auth type, if not LEAP is used!)wlccp authentication-server infrastructure eap_methods
(specifies the infrastructure auth method)wlccp authentication-server client leap eap_methods
(specifies client auth method) ssid Test5
wlccp wds recovery rate 10
(allows only 10 authentications per second during failover to prevent DoS)wlccp wds priority 255 interface BVI1
(enables WDS on this AP and configures priority, 255 is the highest and will be WDS)
dot11 ssid Test5
vlan 15
authentication network-eap eap_methods
(open eap not required as LEAP only) authentication key-management cckm
(enable CCKM fast roaming for the SSID)
interface Dot11Radio0
encryption vlan 15 mode ciphers ckip-cmic
(enable ckip Cisco proprietary encryption with cmic to check integrity)
dot11 extension aironet
(this must be enabled with ckip and cmic, it should be by default)
aaa authentication login eap_methods group rad_eap
(set up the auth method, can be the same as the client auth)
aaa group server radius rad_eap
server 10.10.110.103 auth-port 1812 acct-port 1813
(configure a radius group for local or ACS)
radius-server host 10.10.110.103 auth-port 1812 acct-port 1813 key 7 020F145E13160A3358
(define the radius server and key)
radius-server local
eapfast server-key primary auto
nas 10.10.110.103 key xxx
(nas only required on WDS AP, other AP's in the domain use WLCCP for client auth)
user wds pass xxx
(user for infrastructure auth)
user leap pass xxx
(user for client auth)
eap profile FAST
method fast
wlccp ap username wds password xxx
(to join the AP to the WDS, also needs to be done on domain AP's)
wlccp ap eap profile FAST
(this is required to specify EAP-FAST as the infrastructure auth type, if not LEAP is used!)wlccp authentication-server infrastructure eap_methods
(specifies the infrastructure auth method)wlccp authentication-server client leap eap_methods
(specifies client auth method) ssid Test5
wlccp wds recovery rate 10
(allows only 10 authentications per second during failover to prevent DoS)wlccp wds priority 255 interface BVI1
(enables WDS on this AP and configures priority, 255 is the highest and will be WDS)
dot11 ssid Test5
vlan 15
authentication network-eap eap_methods
(open eap not required as LEAP only) authentication key-management cckm
(enable CCKM fast roaming for the SSID)
interface Dot11Radio0
encryption vlan 15 mode ciphers ckip-cmic
(enable ckip Cisco proprietary encryption with cmic to check integrity)
dot11 extension aironet
(this must be enabled with ckip and cmic, it should be by default)
Tuesday, 8 February 2011
Tacacs Authentication and Authorization
A breakdown of what is required for tacacs user auth on an AAP.
aaa new-model
aaa authentication login LOGIN group tac_users local
aaa authentication enable default group tac_users enable
aaa authorization exec LOGIN group tac_users local
(used LOGIN in this case as there was a requirement to use non default auth list)
aaa group server tacacs+ tac_users server 10.10.210.5
tacacs-server host 10.10.210.5 key 7 08285C4B1109000506
ip http authentication aaa login-authentication LOGINip http authentication aaa exec-authorization LOGIN
(define HTTP authentication lists)
line vty 0 4
authorization exec LOGIN login authentication LOGIN transport input ssh
(define VTY line attributes)
ACS
Configure NAS
Interface Configuration - Advanced options
Select user options if required
Edit TACACS+,add shell and advanced options
Under User or Group, Set Max privilege to 15, Use Ciscosecure PAP password under enable
Set per user command auth
Permit unmatched in no specific commands required
aaa new-model
aaa authentication login LOGIN group tac_users local
aaa authentication enable default group tac_users enable
aaa authorization exec LOGIN group tac_users local
(used LOGIN in this case as there was a requirement to use non default auth list)
aaa group server tacacs+ tac_users server 10.10.210.5
tacacs-server host 10.10.210.5 key 7 08285C4B1109000506
ip http authentication aaa login-authentication LOGINip http authentication aaa exec-authorization LOGIN
(define HTTP authentication lists)
line vty 0 4
authorization exec LOGIN login authentication LOGIN transport input ssh
(define VTY line attributes)
ACS
Configure NAS
Interface Configuration - Advanced options
Select user options if required
Edit TACACS+,add shell and advanced options
Under User or Group, Set Max privilege to 15, Use Ciscosecure PAP password under enable
Set per user command auth
Permit unmatched in no specific commands required
Network EAP v Open with EAP
Thanks to Jerome Henry for this excellent explanation......
Autonomous APs: Network EAP vs. Open with EAP, the right combination
On the CLI, you would say:
dot11 ssid whatever
authentication open eap eap_methods
authentication network-eap eap_methods
As Cisco documentation (for example here) is... er... not completely clear (thanks Seth for pointing me to it!), if not completely wrong, here is a quick summary of which one to choose and when.
First, background information on why this is here (skip this part if you don't care about the whys and just care about the hows).
All this started at the time when we had "nothing (Authentication set to 0 in the AP beacons)" or WEP PSK (Authentication set to 1 in the AP beacons). WEP was weak, so everybody needed a replacement for it. Cisco implemented LEAP, which implies both au authenticaion mechainsm and some encryption. So Cisco set the Authentication value to 1 in the AP beacons using LEAP, not to indicate PSK but to indicate "authentication required" (and this is also why you cannot use LEAP with no encryption). But this does not really conform to the (future, when LEAP was created) 802.11i (and WPA) specifications, so this is Cisco specific...
Later on, when WPA and 802.11i appeared, the protocol detailed that, for compatibility with the 802.1X protocol, the authentication would occur at the association phase. In other words, with 802.1X you plug your PC to a switch, and it is only when you do that that authentication occurs. Similarly in the wireless space, you go through the 802.11 authentication phase (request/response) in an open manner, and it is only when you go to the association phase, which is the "hey, plug me to your cell" message, that the AP says "wait, I need to do 802.1X authentication first", and the EAP process starts. So, Authentication is set to 0 (for its 802.11 part), and EAP/802.1X starts at the association phase.
At the same time, in 2004, ASLEAP was released, and so was 802.11i, following WPA the year before. So when Cisco replaced LEAP with EAP-FAST, the information I have is that they conformed to the WPA/802.11i specifications, and Authentication is set to 0.
So, (whatever the documentation above says) Network EAP = LEAP. Open with EAP = Any other EAP. This is something you see when checking Network EAP: the popup window clearly states that if you use EAP-FAST or any other EAP (than LEAP), you should check Open with EAP. You can of course check both when you want to allow LEAP and another EAP, but you will not be able to authenticate using EAP-FAST if you choose Network EAP only...
There is one exception though... for long, LEAP used to be the default "secure" authentication method. This makes that some old Cisco clients (for example access points!) need to be offered LEAP to get started (or turned on, name it the way you like)!
In other words, if you build a wireless link between 2 APs, for a repeater, bridge or Workgroup Bridge configuration, and if you use 802.1X on that link, you need to offer LEAP (i.e Network EAP) for the secure authentication to be used. So you can offer Network EAP, or Network EAP and Open with EAP, but you should not offer just Open with EAP.
Which one is going to be used if you offer both? Well, it all depends on how you configure your client side (non root Bridge, Workgroup Bridge, etc). If you use the "old" EAP Client (optional feature), in the SSID page:
Which is in the CLI:
dot11 ssid whatever
authentication client username jerome password 7 104D000A0618
This is going to use LEAP only.
If you want to use another EAP, for example EAP-FAST, you need to empty that EAP Client field (it cannot be used in combination with another method), then use the AP Authentication feature.
In this page, you define credentials and method. You can pick up several methods if you want.
Then from the SSID page, you can call these methods:
In the CLI, this is:
dot11 ssid whatever
dot1x credentials jerome
dot1x eap profile Myfast
exit
eap profile Myfast
method fast
dot1x credentials jerome
username cisco
password cisco
So you offer both LEAP and Open with EAP, and using the newer AP Authentication method allows you to to use the credentials you defined, and use the most secure method selected. In this example, we use EAP FAST only, so that's the one we'll use. Of course, the RADIUS to which you main AP points (local RADIUS on the main APor external RADIUS) needs to allow that method.
Careful when testing, it is only from the non-root AP / WGB / repeater CLI that you will use, at authentication time, which method was used. The main AP CLI will just tell you "WPA", or "Open", etc., but not the details of the authentication method used.
If you offer just Open with EAP, as the AP expects LEAP (Network LEAP) among the possibilities, then the EAP part is discarded. Although your link may come up, if you look carefully at your non-root AP CLI, you will see that the authentication is going to be "Open" (NOT with EAP), so there is no real authentication there. As soon as you also offer Network EAP, the non-root AP is happy, being offered LEAP, btu also something stronger, and is going to use the stronger method (EAP-FAST in our example)>
Give it a try in your lab!
;-)
Monday, 7 February 2011
short-slot-time
short-slot-time (default)
Use to enhance 802.11g performance
Use the short-slot-time configuration interface command to enable short slot time on the 802.11g, 2.4-GHz radio. Short slot time reduces the slot time from 20 microseconds to 9 microseconds, thereby increasing throughput. The access point uses short slot time only when all clients that are associated to the 802.11g radio can support short slot time.
short-slot-time
Note 
This command is supported only on 802.11g, 2.4-GHz radios.
This command is supported only on 802.11g, 2.4-GHz radios. Syntax Description
This command has no arguments or keywords.
Defaults
Short slot time is disabled by default.
Command Modes
Configuration interface
Command History
Examples
This example shows how to enable short slot time:
AP(config-if)# short-slot-time
dot11 extension aironet
dot11 extension aironet
There are several additional attributes provided with AE. Can be disabled sometimes for legacy clients to connect.
Use the dot11 extension aironet configuration interface command to enable or disable Cisco Aironet extensions to the IEEE 802.11b standard. Use the no form of this command to disable the Cisco Aironet extensions.
[no] dot11 extension aironet
Note You cannot disable Cisco Aironet extensions on bridges.
You cannot disable Cisco Aironet extensions on bridges. Syntax Description
This command has no arguments or keywords.
Defaults
Cisco Aironet extensions are enabled by default.
Command Modes
Configuration interface
Command History
Usage Guidelines
The Cisco Aironet extensions help clients choose the best access point. You must enable these extensions to use advanced features such as Cisco MIC and key hashing. Disable these extensions for non-Cisco clients that misinterpret the extensions.
Examples
This example shows how to enable Cisco Aironet extensions for the radio interface:
AP(config-if)# dot11 extension aironet
This example shows how to disable Cisco Aironet extensions for the radio interface:
AP(config-if)# no dot11 extension aironetWhat are the features supported by the Aironet Extension option?
A. The Aironet extension is a proprietary feature implemented by Cisco. Aironet extensions contains information elements that support these features.
Devices that are CCX compatible also can take advantage of some of the Aironet Extension features. Here is a list of the features available with the different versions of Cisco Compatible Extensions:
- Load Balancing: The access point uses Aironet extensions to direct client devices to an access point that provides the best connection to the network based on factors such as the number of users, bit error rates, load and signal strength.
Load balancing is proprietary between devices that understand the Aironet extensions. Load balancing is implemented by extensions in AP beacons and/or probe-responses, which provide information on these:
The client evaluates these and associates to the "best" one. Non-Cisco clients do not understand these extensions.
- Base-station signal strength
- Base station loading (% transmitter busy)
- Number of hops to the backbone
- Number of client associations
- MIC: Cisco Proprietary Message Integrity Check (MIC) — MIC is an additional WEP security feature that prevents attacks on encrypted packets called bit-flip attacks. The MIC is implemented on both the access point and all associated client devices.
- Cisco Proprietary Temporal Key Integrity Protocol (CKIP), also known as WEP key hashing, is an additional WEP security feature that defends against an attack on WEP, in which the intruder uses an unencrypted segment called the initialization vector (IV) in encrypted packets to calculate the WEP key.
- In addition to these, Aironet extensions carry more information that include these:
- Load that the AP currently handles
- Number of hops from the Wired network
- Device type, which helps identify the product under the Cisco system for management
- Device name
- Number of associated clients
- Radio type, a feature used to determine certain characteristics about the radio, such as datarate, radio type (1310, 1200, 352 or 342), security type (WEP/802.1x), etc.
Cisco Compatible Extensions - Versions and Features
preamble-short
preamble-short (default)
Can be used to improve the performance of 802.11g clients capable of supporting short preambles and less overhead.
Use the preamble-short configuration interface command to enable short radio preambles. The radio preamble is a selection of data at the head of a packet that contains information that the access point and client devices need when sending and receiving packets. Use the no form of the command to change back to default values.
[no] preamble-short
Note This command is not supported on the 5-GHz access point radio interface (dot11radio1).
This command is not supported on the 5-GHz access point radio interface (dot11radio1). Syntax Description
This command has no arguments or keywords.
Defaults
The default is short radio preamble.
Command Modes
Configuration interface
Command History
Usage Guidelines
If short radio preambles are enabled, clients may request either short or long preambles and the access point formats packets accordingly. Otherwise, clients are told to use long preambles.
Examples
This example shows how to set the radio packet to use a short preamble.
AP(config-if)# preamble-short
Part of the frame that is transmitted by an 802.11 station is called the preamble. The original 802.11 specification (which defined only 1 and 2Mbps operation), defined only a long preamble that uses a 128 bit sync field. When the "high rate", i.e. 11Mbps, 802.11b standard was created, an optional short preamble using a 56 bit "sync" field was added. This was intended to improve the efficiency of the wireless network for more "real-time" applications such as streaming video and Voice-over-IP telephony applications. Figure 1 has the gory details on the two preambles if you're interested.
Figure 1: Short and long 802.11 preambles
From: 802.11 Wireless Networks: The Definitive Guide , used by permission [1]
All 802.11 devices in the 2.4 GHz band, including 802.11g devices, must be able to transmit and receive long preamble frames. 802.11g devices are required to be able to transmit and receive both long and short preambles, but support for short preamble in 802.11b devices is optional.The problem occurs when an 802.11g AP allows the use of Short Preamble by the stations it communicates with (also known as its BSS - Basic Service Set). The AP may also choose to allow legacy stations that do not support Short Preamble to associate with the BSS. If both these conditions are allowed, the legacy stations that aren't short-preamble-capable will not be able to understand much of the communication in the BSS, and most importantly won't be able to receive the all-important "Protection" frames. This could result in legacy 11b stations transmitting at the same time as 11g stations, which doesn't help either one to properly get their data sent!
This 802.11b interoperability problem has been noted in recent articles on draft-802.11g, but it looks as though it may be getting somewhat overstated. First, the short-preamble problem affects only a subset of the 802.11b products in the field. Specifically, ORiNOCO and Symbol cards and those using the Intersil PRISM 2.0 and Agere Systems chipsets.
Second, manufacturers may already have incorporated a fix for this problem into their AP code. (I've used both ORiNOCO and PRISM 2.0 based cards in my testing and have yet to run across the problem.) And finally, another reason to relax is that I'm told that the IEEE Task Group g committee will probably address this issue in the 802.11g standard after some additional debate.
broadcast-key
broadcast-key
All dot1x clients have a unique key but share a seperate broadcast key that is derived through the dot1x process. To rotate that key use this command on the radio interface.
Use the broadcast-key configuration interface command to configure the time interval between rotations of the broadcast encryption key used for clients. Use the no form of the command to disable broadcast key rotation.
[no] broadcast-key
[vlan vlan-id]
[change secs]
[ membership-termination ]
[ capability-change ]
[vlan vlan-id]
[change secs]
[ membership-termination ]
[ capability-change ]
Note Client devices using static WEP cannot use the access point when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point.
Client devices using static WEP cannot use the access point when you enable broadcast key rotation. When you enable broadcast key rotation, only wireless client devices using 802.1x authentication (such as LEAP, EAP-TLS, or PEAP) can use the access point. Note This command is not supported on bridges.
This command is not supported on bridges. Syntax Description
Defaults
This command has no defaults.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure vlan10 to support broadcast key encryption with a 5-minute key rotation interval:
AP(config-if)# broadcast-key vlan 10 change 300
This example shows how to disable broadcast key rotation:
AP(config-if)# no broadcast-keycountermeasure tkip hold-time
countermeasure tkip hold-time
Use this to freeze out clients that perform an attack such as a bit-flip. To be applied per radio.
Use the countermeasure tkip hold-time configuration interface command to configure a TKIP MIC failure holdtime. If the access point detects two MIC failures within 60 seconds, it blocks all the TKIP clients on that interface for the holdtime period.
countermeasure tkip hold-time seconds
Syntax Description
seconds | Specifies the length of the TKIP holdtime in seconds (if the holdtime is 0, TKIP MIC failure hold is disabled) |
Defaults
TKIP holdtime is enabled by default, and the default holdtime is 60 seconds.
Command Modes
Configuration interface
Command History
Examples
This example shows how to configure the TKIP holdtime on the access point radio:
ap(config-if)# countermeasure tkip hold-time 120
dot11 holdoff-time
dot11 holdoff-time
This one threw me. You can use this with EAP and MAC auth to freeze out clients that fail to log in properly to prevent DoS.
Use the dot11 holdoff-time global configuration command to specify the hold-off time for EAP and MAC address authentication. The holdoff time is invoked when a client fails three login attempts or fails to respond to three authentication requests from the access point. Use the no form of the command to reset the parameter to defaults.
[no] dot11 holdoff-time seconds
Syntax Description
Defaults
The default holdoff time is 0 (disabled).
Command Modes
Global configuration
Command History
Examples
This example shows how to specify a 2-minute hold-off time:
AP(config)# dot11 holdoff-time 120
This example shows how reset the hold-off time to defaults:
AP(config)# dot11 no holdoff-time
Subscribe to:
Posts (Atom)