Restricting Spoofed Association Requests on WLC

C.

The correct answer for this question is A. Enable MAC filtering and set the SA Query timeout to 10.

Here is the detailed explanation:

Wireless Local Area Networks (WLANs) can be vulnerable to attacks such as spoofing, where an attacker sends fake association requests to the WLAN Access Point (AP) in order to gain unauthorized access to the network. To prevent this type of attack, it is necessary to configure the WLAN Controller (WLC) to restrict the association requests and enforce a waiting period before allowing the client to retry the association request.

The two methods commonly used to restrict association requests and enforce waiting periods are:

1. MAC filtering: This method involves configuring the WLC to allow only authorized MAC addresses to associate with the AP. When a client sends an association request to the AP, the AP sends a Security Association (SA) query to the WLC to verify if the client MAC address is allowed. If the client MAC address is not authorized, the WLC rejects the association request. To enforce a waiting period, the WLC can be configured to set the SA Query timeout to a specific value. This timeout value determines the duration of time the client must wait before retrying the association request.

2. 802.1x Layer 2 security: This method involves configuring the WLC to use the IEEE 802.1x standard for authentication and authorization of clients. When a client sends an association request to the AP, the AP sends an EAP Request Identity message to the client to initiate the authentication process. If the client fails to provide valid credentials, the WLC rejects the association request. To enforce a waiting period, the WLC can be configured to set the Comeback timer to a specific value. This timer value determines the duration of time the client must wait before retrying the association request.

In this question, the requirement is to configure the WLC to restrict spoofed association requests and enforce a waiting period of 10ms before allowing clients to retry the association request. Option A is the correct answer as it recommends enabling MAC filtering and setting the SA Query timeout to 10. This will allow only authorized MAC addresses to associate with the AP, and any client that sends a spoofed association request will be rejected by the WLC. Additionally, the SA Query timeout of 10ms will enforce a waiting period before allowing the client to retry the association request.

Option B is incorrect as it recommends using 802.1x Layer 2 security and setting the Comeback timer to 10. While this method can also be used to restrict association requests and enforce waiting periods, it is not the best approach for this specific scenario. 802.1x security involves additional overhead and complexity, and the Comeback timer of 10ms is not a realistic value for this scenario.

Option C is incorrect as it recommends enabling Security Association Teardown Protection and setting the SA Query timeout to 10. This option is not relevant to the scenario as Security Association Teardown Protection is used to prevent unauthorized disassociation of clients, not spoofed association requests.

Option D is also incorrect as it recommends enabling the Protected Management Frame service and setting the Comeback timer to 10. While this service provides additional security for management frames, it is not relevant to the scenario as it does not address the issue of spoofed association requests.