Specifications
2-104
Cisco IOS Command Reference for Cisco Aironet Access Points and Bridges
0L-24115-01
Chapter 2 Cisco IOS Commands for Access Points and Bridges
dot11 ids eap attempts
dot11 ids eap attempts
Use the dot11 ids eap attempts global configuration command to configure the number of
authentication attempts and the number of seconds of EAPOL flooding that trigger a fault on a scanner
access point in monitor mode.
Setting an authentication failure limit protects your network against a denial-of-service attack called
EAPOL flooding. The 802.1X authentication that takes place between a client and the access point
triggers a series of messages between the access point, the authenticator, and an authentication server
using EAPOL messaging. The authentication server can quickly become overwhelmed if there are too
many authentication attempts. If not regulated, a single client can trigger enough authentication requests
to impact your network.
A scanner access point in monitor mode tracks the rate at which 802.1X clients attempt to authenticate
through the access point. If your network is attacked through excessive authentication attempts, the
access point generates an alert when the authentication threshold has been exceeded.
[no] dot11 ids eap attempts number period seconds
Syntax Description
Defaults This command has no defaults.
Command Modes Global configuration
Command History
Examples This example shows how to configure a limit on authentication attempts and on the duration of EAPOL
flooding on a scanner access point in monitor mode:
ap(config)# dot11 ids eap attempts 10 period 10
Related Commands
number Specifies the number of authentication attempts that triggers a fault on a
scanner access point in monitor mode
seconds Specifies the number of seconds of EAPOL flooding that triggers a fault on
a scanner access point in monitor mode
Release Modification
12.3(4)JA This command was introduced.
Command Description
debug dot11 ids Enables wireless IDS debugging
show dot11 ids eap Displays IDS statistics