How to control access points from enabling protection against 802.11b or legacy clients?
Environment : This article applies to Aruba Mobility Controllers and Access Points.
The 802.11g APs signal to all associated stations in the basic service set (BSS) to use protection mechanisms when a 802.11b station associates to the AP. This is done by access points inorder to maintain backward compatibility.
Access Points indicate this to its own BSS by setting "Use_Protection bit" to 1 and to other APs by setting "NonERP_Present bit" to 1, in the beacons. Below is a capture of a AP beacon that shows these bits enable:
To accomodate 802.11b clients by enabling protection mechanisms can easily cause more than a 50% loss in overall WLAN throughput in the BSS and latency also increases significantly. In corporate 802.1X/ EAP enabled SSID's, it could become worse as Open System Authentication is used to authenticate and associate to the AP prior to EAP authenticating and associating to the network using a user name and password.
One way to keep this protection mechanism from getting out of control (its modus operandi) is to disable broadcasting of the SSID in the Beacon and disable responses to Probe Request frames with blank (null) SSID fields. By doing so, STAs that do not specifically have the correct SSID configured will not successfully authenticate using Open System Authentication. If they cannot authenticate, they will not send Association Request frames.
Advanced SSID configuration on Aruba Controllers come with "Hide SSID" and "Deny_Broadast Probes" to control legacy protection. Below screenshot shows CLI commands to enable them:
(SSID profile output is truncated)