An administrator must secure the WLC from receiving spoofed association requests. Which steps must be taken to configure the WLC to restrict the requests and force the user to wait 10 ms to retry an association request?
A.
Enable MAC filtering and set the SA Query timeout to 10.
B.
Enable 802.1x Layer 2 security and set the Comeback timer to 10.
C.
Enable Security Association Teardown Protection and set the SA Query timeout to 10.
D.
Enable the Protected Management Frame service and set the Comeback timer to 10.
Has to be D based on..
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html#anc8
Option C is Correct Answer
SA Teardown Protection Components:
Association Comeback Time:
The AP adds cryptographic protection to de-authentication and dissociation frames.
This prevents them from being spoofed in a Denial-of-Service (DOS) attack.
SA-Query Procedure:
Prevents spoofed association requests from disconnecting an already connected client.
When an AP receives an association request, it verifies the legitimacy before allowing the client to connect.
You then need to specify the comeback timer and SA query timeout. The comeback timer specifies the time that an associated client must wait before the association can be tried again when first denied with a status code 30. SA query timeout specifies the amount of time the WLC waits for a response from the client for the query process. If there is no response from the client, its association is deleted from the controller. This is done as shown in the image.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html
Option D suggests enabling the "Protected Management Frame service" and setting the "Comeback timer to 10." However, this option is not relevant to the scenario described in the question, which is about securing the Wireless LAN Controller (WLC) from spoofed association requests and introducing a delay before retries.
The "Protected Management Frame service" is typically used to secure management frames in a wireless network. It's not directly related to managing or restricting association requests from client devices or controlling the delay before they can retry association.
Option C, on the other hand, specifically addresses the issue of securing the WLC against spoofed association requests by using the Security Association Teardown Protection and configuring the SA Query timeout to introduce a delay. This is the appropriate approach for mitigating spoofed association requests, and that's why option C is the correct answer.
SA teardown protection is a mechanism to prevent replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and anSA-Query procedure preventing spoofed association requests from disconnecting an already connected client.
If a client has a valid security association, and has negotiated 802.11w, the APshall reject another Association Request with status code 30. This status code stands for "Association request rejected temporarily; Try again later". The APshould not tear down or otherwise modify the state of the existing association until theSA-Query procedure determines that the original SA is invalid and shall include in the Association Response an Association Comeback Time information element, specifying a comeback time when the AP would be ready to accept an association with this client.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/802-11w.pdf
I mean... D.
Step 1 Choose Configuration > Tags & Profiles > WLANs.
Step 2 Click Add to create WLANs.
The Add WLAN page is displayed.
Step 3 In the Security > Layer2 tab, navigate to the Protected Management Frame section.
Step 4 Choose PMF as Disabled, Optional, or Required. By default, the PMF is disabled.
If you choose PMF as Optional or Required, you get to view the following fields:
• Association Comeback Timer—Enter a value between 1 and 10 secondsto configure 802.11w association
comeback time.
• SA Query Time—Enter a value between 100 to 500 (milliseconds). Thisisrequired for clientsto negotiate
802.11w PMF protection on a WLAN.
Step 5 Click Save & Apply to Device.
Security Association (SA) Teardown Protection is a mechanism in Cisco WLC that prevents replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and an SA-Query procedure that prevents spoofed association requests from disconnecting an already connected client. Prior to the implementation of the 802.11w standard, if an AP received either an Association or Authentication request with a spoofed source address, it would tear down the existing association with the legitimate client. With SA Teardown Protection, the AP waits for a specified time before tearing down the existing association, allowing the legitimate client to re-associate with the AP.
Answer is C.
Reference : https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html
I checked with my netacad instructor after reading this
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html
association-comeback—Configures the 802.11w association. The range is from 1 through 20 seconds.
saquery-retry-time ... The range is from 100 to 500 ms. The value must be specified in multiples of 100 milliseconds.
I think the questions should say 10 seconds, 10ms does not fall into either possible range.
So 10ms should not be possible. 10 seconds? --> comeback timer
Infrastructure protection is added by adding a Security Association (SA) tear down protection mechanism consisting of an Association Comeback Time and an SA-Query procedure preventing spoofed association request from disconnecting an already connected client.
association-comeback—Configures the 802.11w association. The range is from 1 through 20 seconds.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html
it is "C"
Security Association (SA) Teardown Protection SA teardown protection is a mechanism to prevent replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and an SA-Query procedure preventing spoofed association requests from disconnecting an already connected client.
Protected Management Frames (PMF) to secure important 802.11 management frames
between APs and clients, to prevent malicious activity that might spoof or tamper with a
BSS’s operation.
D is the correct answer.
Since Protected management Frame doesn't let spoofed clents to associate with the access point wheras Security Association Teardown Protection tears down spoofed association as original assocaition already exist in the table with WLC.
Thus, D will be the correct answer
I also think D is correct
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html
This section is not available anymore. Please use the main Exam Page.200-301 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
MrPOW
Highly Voted 3 years, 6 months agoorxan1492
Most Recent 3 months, 1 week agoKabir455
10 months, 1 week agoSh3444
1 year, 1 month agoMaxaMillion
1 year, 2 months agoStevens0103
1 year, 4 months agoStevens0103
1 year, 4 months agoVikramaditya_J
1 year, 8 months agoMahfuj_01
2 years, 1 month agosplashy
2 years, 2 months agoaizudin
2 years, 3 months agoPiotrMar
2 years, 4 months agoZUMY
2 years, 6 months agojossyda
2 years, 7 months agodipanjana1990
2 years, 9 months agoawashenko
2 years, 12 months agodaanderud
3 years agoAnarckii
3 years ago