CISCO-LWAPP-MFP-MIB: View SNMP OID List / Download MIB

This MIB is intended to be implemented on all those devices operating as Central Controllers (CC) that terminate the Light Weight Access Point Protocol tunnel from Light-weight LWAPP Access Points. This MIB instrumentation provides the parameters used by the controller to control and monitor the behavior of the associated Access Points when following the newly defined Management Frame Protocol. The controller would pass the MFP settings configured by the user through this MIB to the APs through LWAPP messages. The APs then begin to validate and verify the integrity of 802.11 Management frames and report the anomalies found, if any, to the controller. The relationship between CC and the LWAPP APs can be depicted as follows. +......+ +......+ +......+ +......+ + + + + + + + + + CC + + CC + + CC + + CC + + + + + + + + + +......+ +......+ +......+ +......+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + AP + + AP + + AP + + AP + + AP + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ . . . . . . . . . . . . . . . . . . . . . . . . +......+ +......+ +......+ +......+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +......+ +......+ +......+ +......+ +......+ The LWAPP tunnel exists between the controller and the APs. The MNs communicate with the APs through the protocol defined by the 802.11 standard. LWAPP APs, upon bootup, discover and join one of the controllers and the controller pushes the configuration, which includes the WLAN parameters, to the LWAPP APs. The APs then encapsulate all the 802.11 frames from wireless clients inside LWAPP frames and forward the LWAPP frames to the controller. Reference [2] explains in detail about the communication between the controller and APs, while Reference [1] explains the AP-MN communication. To secure the 802.11 management traffic, the controller and the APs perform specific roles. The controller acts as the central entity to generate and distribute signature keys using which the APs generate integrity check values, also known as signatures, for individual management frames. The APs append this signature in the form of an Information Element to the respective management frame to be transmitted. This is needed to isolate those potential rogue APs whose frames may not carry the frame signature. The APs use the signature keys, generated and pushed to them by the controller for each BSSID reported as heard by the APs, to validate the integrity of the the management traffic originating from various 802.11 sources. Any anomalies observed by the APs are reported to the controller. The controller makes the information about such events available for a network management Station in the form of notifications. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 media access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. LWAPP APs encapsulate all the 802.11 frames in LWAPP frames and sends them to the controller to which it is logically connected. AP-Authentication With this feature enabled, the Access Points sending radio resource management neighbor packets with different RF network names will be reported as rogues. Basic Service Set Identifier ( BSSID ) The identifier of the Basic Service Set controlled by a single coordination function. The identifier is usually the MAC address of the radio interface that hosts the BSS. Central Controller ( CC ) The central entity that terminates the LWAPP protocol tunnel from the LWAPP APs. Throughout this MIB, this entity is also referred to as 'controller'. Light Weight Access Point Protocol ( LWAPP ) This is a generic protocol that defines the communication between the Access Points and the Central Controller. Management Frame Protection ( MFP ) A proprietary mechanism devised to integrity protect the otherwise unprotected management frames of the 802.11 protocol specification. Message Integrity Check ( MIC ) A checksum computed on a sequence of bytes and made known to the receiving party in a data communication, to let the receiving party make sure the bytes received were not compromised enroute. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Network Management Station ( NMS ) The system through which the network administrator manages the controller and the APs associated to it. REFERENCE [1] Wireless LAN Medium Access Control ( MAC ) and Physical Layer ( PHY ) Specifications, ANSI/IEEE Std 802.11, 1999 Edition. [2] Draft-obara-Capwap-lwapp-00.txt, IETF Light Weight Access Point Protocol

This notification is sent by the agent when the controller detects that the AP couldn't apply the protection configuration to the specific radio interface for the specified WLAN. The controller detects the mismatch by matching the MFP configuration requested to be applied with the configuration returned in the acknowledgement as having been applied to the radio interface. The controller also generates this notification to indicate that configuration mismatch is cleared when the values of cLMfpProtectionEnable and cLMfpApIfMfpProtectionActual are found to be the same. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.

This notification is sent by the agent when the controller detects that the AP couldn't configure itself with the MFP signature validation configuration. The controller detects the mismatch by matching the MFP configuration requested to be applied with the configuration returned in the acknowledgement as having been configured by the AP. The controller also generates this notification to indicate that configuration mismatch is cleared when the values of cLMfpApMfpValidationEnable and cLMfpApMfpValidationActual are found to be the same. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.

This notification is sent by the agent to indicate the controller's status of synchronization of its timebase with that of a central timebase. The notification is sent once after the controller comes up and thereafter, it is sent everytime the status changes.

This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the AP cLApMacAddress. The violation is indicated by cLMfpEventType. Through this notification, the controller reports the NMS the occurrence of a total of cLMfpEventTotal volation events, of type cLMfpEventType, upon observing the management frame(s) indicated by cLMfpEventFrames for the last cLMfpEventPeriod time units. When cLMfpEventTotal is 0, it indicates that no further anomalies have recently been detected and that the NMS should clear any alarm raised about the MFP errors. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.

This notification is sent by the agent when the MFP configuration of the WLAN was violated by the radio interface cLApIfSmtDot11Bssid and detected by the radio interface cLApDot11IfSlotId of the AP cLApMacAddress. The violation is indicated by cLMfpEventType. Through this notification, the controller reports the NMS the occurrence of a total of cLMfpEventTotal volation events, of type cLMfpEventType, upon observing the management frame(s) indicated by cLMfpEventFrames for the last cLMfpEventPeriod time units. When cLMfpEventTotal is 0, it indicates that no further anomalies have recently been detected and that the NMS should clear any alarm raised about the MFP errors. cLClientLastSourceMacAddress is used only when the controller generates notifications about client-related attacks. The controller will populate zeros as the value for cLClientLastSourceMacAddress when reporting anomalies sourced by infrastructure devices. This notification is generated by the controller only if MFP has been configured as the protection mechanism through cLMfpProtectType.

This object specifies the radio MAC address of a LWAPP AP.

This object specifies the slotId of the dot11 interface.

This object indicates the identifier for a WLAN.

The actual protection configuration for a specific WLAN as applicable to a dot11 interface of a specific AP.

The type of the MFP anomaly event.

The number of MFP anomaly events detected in the prior period indicated by cLMfpEventPeriod. cLMfpEventType indicates the type of the anomaly event.

The time period, in hundredths of a second, in which the reported number of events are detected. This is the time interval at which the controller periodically checks for the anomaly events to be reported to the NMS through the ciscoLwappMfpAnomalyDetected notification.

This object indicates which type of 802.11 management frames contain anomalies of type cLMfpEventType. When the controller detects anomalies using the MFP validation test it will generate the ciscoLwappMfpAnomalyDetected notification.

This object represents the MAC address of the client that is responsible for the most recent event related to a wireless client. This information is useful to identify the rogue client that has staged the most recent attack on the wireless network.

The authentication mechanism to be used to secure the WLANs managed through this controller. cLMfpProtectNone - No authentication or protection mechanism is configured on the controller. cLMfpProtectApAuth - AP-authentication is configured as the authentication and protection mechanism on the controller. cLMfpProtectMfp - MFP is configured as the as the authentication and protection mechanism on the controller. The settings configured through cLMfpProtectionEnable and cLMfpApMfpValidationEnable for a WLAN and AP respectively take effect only if this object is set to 'cLMfpProtectMfp'. Enumeration: 'cLMfpProtectNone': 1, 'cLMfpProtectApAuth': 2, 'cLMfpProtectMfp': 3.

This table provides the configuration needed by the controller to enable management frame protection on a particular WLAN. A controller, when configured, enables the MFP on individual WLANs. When these WLANs that have MFP enabled are applied to the APs, the APs become part of the MFP framework. The APs will receive the signature keys to be used to generate MICs for unicast and broadcast management frames upon joining the controller. With these keys, the APs generate the MIC for individual management frames and append the value as an information element to the respective frames. The creation of a new row in cLWlanConfigTable through an explicit network management action results in creation of an entry in this table. Similarly, deletion of a row in cLWlanConfigTable through user action causes the deletion of corresponding row in this table.

A conceptual row in cLMfpWlanConfigTable and represents the MFP configuration on a particular WLAN.

The version of the Management Frame Protection Protocol required for the MFP framework when the MFP protection is enabled through the cLMfpProtectionEnable object.

This object specifies whether the MFP protection on this WLAN be enabled or not. A value of 'true' enables management frame protection on the WLAN and 'false' disables management frame protection. Note that MFP is enabled or disabled on a WLAN through the values of 'true' and 'false' only if MFP is configured as the protection mechanism by setting the object cLMfpProtectType to 'cLMfpProtectMfp'. The NMS shall modify the value of this object, but the change made will take effect only if MFP is configured as the protection mechanism on the controller through the cLMfpProtectType object.

This object specifies the level of client MFP protection for this WLAN. disabled - client protection is disabled. enabled - client protection is optional. required - client protection is mandatory. Enumeration: 'disabled': 1, 'required': 3, 'enabled': 2.

The status of synchronization of the MFP-aware LWAPP controller's timebase with that of a central time server.

This table provides the configuration of MFP related parameters corresponding to a particular AP. A row is added to the table by the agent when a a row is added to cLApTable of CISCO-LWAPP-AP-MIB. Similarly, a row is deleted from this table when the corresponding row is deleted from cLApTable.

A conceptual row in this table and represents the MFP parameters of a particular AP.

This object specifies whether the AP should validate the management frames received by it in accordance with the MFP version or not. A value of 'true' indicates that the AP should validate all the received management frames accordance with the MFP version supported by the respective dot11 interface on which the frame was received. A value of 'false' indicates that the AP won't validate the received management frames. Note that MFP validation is enabled or disabled on an AP through the values of 'true' and 'false' only if MFP is configured as the protection mechanism by setting the object cLMfpProtectType to 'cLMfpProtectMfp'. The NMS shall modify the value of this object, but the change made will take effect only if MFP is configured as the protection mechanism on the controller through the cLMfpProtectType object.

This object indicates the status of MFP validation being done as reported by the AP in response to the controller's request to perform MFP validation. A value of 'true' indicates that all the management frames received by the AP will be validated in accordance with the MFP version supported by the respective dot11 interface on which the frame was received. A value of 'false' indicates that the management frames received by this AP won't be validated.

This table provides the MFP capabilities on a dot11 radio interface of an AP that has joined this controller. An AP performs the role of protecting and validating management frames on its dot11 interfaces. It protects the management frames transmitted out on a dot11 interface when the signature protection capability is enabled on that interface through the object cLMfpApIfMfpProtectionCapability. Similarly, it validates all the management frames received on a dot11 interface when MFP validation capability is enabled on the AP. A row is added to the table by the agent corresponding to each dot11 interface of an AP, when it adds the row(s) to cLApIfSmtParamTable of CISCO-LWAPP-AP-MIB. The agent deletes the row(s) when it deletes the corresponding rows from cLApIfSmtParamTable.

A conceptual row in this table and represents the MFP capabilities on the dot11 interface of a particular LWAPP AP.

The version of the Management Frame Protection protocol currently supported by this radio interface.

The management frame protection capability currently exhibited by the dot11 interface. protectCapNone - protection is not supported on this dot11 interface. protectCapNoBeacon - protection is supported for all types of 802.11 management frames except for beacon and probe rsponse frames. protectCapAllFrames - protection is supported for all types of 802.11 management frames. Enumeration: 'protectCapNoBeacon': 2, 'protectCapAllFrames': 3, 'protectCapNone': 1.

The management frame validation capability currently exhibited by this dot11 interface. validateCapNone - The MFP validation is not done by this dot11 interface. validateCapAllFrames - The MFP validation is supported on ths dot11 interface for all types of 802.11 management frames. Enumeration: 'validateCapAllFrames': 2, 'validateCapNone': 1.

The object to control the generation of notifications defined in this MIB. A value of 'true' indicates that the agent generates the notifications defined in this MIB. A value of 'false' indicates that the agent doesn't generate the notifications.

This table represents the MFP information for 802.11 wireless clients that are associated with the APs that have joined this controller.

Each entry represents a conceptual row in this table and provides MFP information about the clients associated to the APs that have joined the controller.

This object indicates whether MFP protection is enabled for a particular client. A value of 'true' indicates that MFP protection is enabled. A value of 'false' indicates MFP protection is disabled.

The compliance statement for the SNMP entities that implement the ciscoLwappMfpMIB module.

The compliance statement for the SNMP entities that implement the ciscoLwappMfpMIB module.

This collection of objects represent the global and WLAN-specific protection capabilities on the controller.

This collection of objects provides the information about the MFP signature protection capabilities as observed on the dot11 interfaces of the LWAPP APs.

This collection of objects represent the information carried by the MFP related notifications sent by the agent to a network management station.

This collection of objects represent the MFP related notifications sent by the agent to a network management station.

This collection of objects represent the configuration for client protection on the controller.

This collection of objects represent the status of client protection on the controller.

This collection of objects represent the client related information in the MFP notifications generated by the controller.

This collection of objects represent the MFP related notifications sent by the agent to a network management station.