Exam 200-301 topic 1 question 253 discussion

Has to be D based on.. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html#anc8

iT's C

it´s D

Option C is Correct Answer SA Teardown Protection Components: Association Comeback Time: The AP adds cryptographic protection to de-authentication and dissociation frames. This prevents them from being spoofed in a Denial-of-Service (DOS) attack. SA-Query Procedure: Prevents spoofed association requests from disconnecting an already connected client. When an AP receives an association request, it verifies the legitimacy before allowing the client to connect.

You then need to specify the comeback timer and SA query timeout. The comeback timer specifies the time that an associated client must wait before the association can be tried again when first denied with a status code 30. SA query timeout specifies the amount of time the WLC waits for a response from the client for the query process. If there is no response from the client, its association is deleted from the controller. This is done as shown in the image. https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html

Option D suggests enabling the "Protected Management Frame service" and setting the "Comeback timer to 10." However, this option is not relevant to the scenario described in the question, which is about securing the Wireless LAN Controller (WLC) from spoofed association requests and introducing a delay before retries. The "Protected Management Frame service" is typically used to secure management frames in a wireless network. It's not directly related to managing or restricting association requests from client devices or controlling the delay before they can retry association. Option C, on the other hand, specifically addresses the issue of securing the WLC against spoofed association requests by using the Security Association Teardown Protection and configuring the SA Query timeout to introduce a delay. This is the appropriate approach for mitigating spoofed association requests, and that's why option C is the correct answer.

SA teardown protection is a mechanism to prevent replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and anSA-Query procedure preventing spoofed association requests from disconnecting an already connected client. If a client has a valid security association, and has negotiated 802.11w, the APshall reject another Association Request with status code 30. This status code stands for "Association request rejected temporarily; Try again later". The APshould not tear down or otherwise modify the state of the existing association until theSA-Query procedure determines that the original SA is invalid and shall include in the Association Response an Association Comeback Time information element, specifying a comeback time when the AP would be ready to accept an association with this client. https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/802-11w.pdf

Configure 802.11w Management Frame Protection on WLC - Cisco "... Benefits of 802.11w Management Frame Protection ... AP Protection ... Included in the Association Response is an Association Comeback Time information element which specifies a comeback time when the AP is ready to accept an association with this STA. This way you can ensure that legitimate clients are not disassociated due to a spoofed association request. ..."

Here is what Cisco says : "You then need to specify the comeback timer and SA query timeout. The comeback timer specifies the time that an associated client must wait before the association can be tried again..." https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html

Security Association (SA) Teardown Protection is a mechanism in Cisco WLC that prevents replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and an SA-Query procedure that prevents spoofed association requests from disconnecting an already connected client. Prior to the implementation of the 802.11w standard, if an AP received either an Association or Authentication request with a spoofed source address, it would tear down the existing association with the legitimate client. With SA Teardown Protection, the AP waits for a specified time before tearing down the existing association, allowing the legitimate client to re-associate with the AP.

I am not sure but i think C is correct. D is just a part of SA teardown https://www.hitchhikersguidetolearning.com/2017/09/17/security-association-sa-teardown-protection-part-1/

Answer is C. Reference : https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html

I checked with my netacad instructor after reading this https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html association-comeback—Configures the 802.11w association. The range is from 1 through 20 seconds. saquery-retry-time ... The range is from 100 to 500 ms. The value must be specified in multiples of 100 milliseconds. I think the questions should say 10 seconds, 10ms does not fall into either possible range. So 10ms should not be possible. 10 seconds? --> comeback timer

Infrastructure protection is added by adding a Security Association (SA) tear down protection mechanism consisting of an Association Comeback Time and an SA-Query procedure preventing spoofed association request from disconnecting an already connected client. association-comeback—Configures the 802.11w association. The range is from 1 through 20 seconds. https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html

it is "C" Security Association (SA) Teardown Protection SA teardown protection is a mechanism to prevent replay attacks from tearing down the session of an existing client. It consists of an Association Comeback Time and an SA-Query procedure preventing spoofed association requests from disconnecting an already connected client.

Ref: Configure 802.11w Management Frame Protection on WLC – Cisco “… Benefits of 802.11w Management Frame Protection … • AP Protection … When you use 802.11w MFP, if the STA is associated and has negotiated Management Frame Protection, the AP rejects the Association Request with return status code 30 Association request rejected temporarily; Try again later to the client. Included in the Association Response is an Association Comeback Time information element which specifies a comeback time when the AP would be ready to accept an association with this STA. This way you can ensure that legitimate clients are not disassociated due to a spoofed association request. …” A. Enable MAC filtering and set the SA Query timeout to 10. Wrong answer. B. Enable 802.1x Layer 2 security and set the Comeback timer to 10. Wrong answer. C. Enable Security Association Teardown Protection and set the SA Query timeout to 10. Wrong answer. D. Enable the Protected Management Frame service and set the Comeback timer to 10. Correct answer.

Going with D: https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/212576-configure-802-11w-management-frame-prote.html#anc8