User's Manual
12-33
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Configuring WLSM Failover
Configuring Monitor Mode Limits
You can configure threshold values that the access point uses in monitor mode. When a threshold value
is exceeded, the access point logs the information or sends an alert.
Configuring an Authentication Failure Limit
Setting an authentication failure limit protects your network against a denial-of-service attack called
EAPOL flooding. The 802.1X authentication that takes place between a client and the access point
triggers a series of messages between the access point, the authenticator, and an authentication server
using EAPOL messaging. The authentication server, typically a RADIUS server, can quickly become
overwhelmed if there are too many authentication attempts. If not regulated, a single client can trigger
enough authentication requests to impact your network.
In monitor mode the access point tracks the rate at which 802.1X clients attempt to authenticate through
the access point. If your network is attacked through excessive authentication attempts, the access point
generates an alert when the authentication threshold has been exceeded.
You can configure these limits on the access point:
• Number of 802.1X attempts through the access point
• EAPOL flood duration in seconds on the access point
When the access point detects excessive authentication attempts it sets MIB variables to indicate this
information:
• An EAPOL flood was detected
• Number of authentication attempts
• MAC address of the client with the most authentication attempts
Beginning in privileged EXEC mode, follow these steps to set authentication limits that trigger a fault
on the access point:
Configuring WLSM Failover
To ensure near hot standby in cases of WLSM failure, the WLSM Version 2.13 Release supports resilient
tunnel recovery and active and standby WLSMs.
Resilient Tunnel Recovery
In the case of a single chassis scenario (only one WLSM per chassis), if the WLSM software fails,
existing access point clients connected to the SUP continue to be connected to the SUP and won’t notice
any interruption in service. When an access point detects a WLSM failure, it doesn’t tear down the active
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
dot11 ids eap attempts number
period seconds
Configure the number of authentication attempts and the
number of seconds of EAPOL flooding that trigger a fault on
the access point.
Step 3
end Return to privileged EXEC mode.