Configure Management Frame Protection (MFP) on a Wireless Access Point

Available Languages

Download Options

PDF (237.9 KB)
View with Adobe Reader on a variety of devices
ePub (358.3 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (335.2 KB)
View on Kindle device or Kindle app on multiple devices

Updated:December 12, 2018

Document ID:SMB5302

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Configure Management Frame Protection (MFP) on a Wireless Access Point

Objective

Management Frame Protection (MFP) is a wireless feature that increases the security of the management frames. Its wireless standard is IEEE 802.11w-2009 or Protected Management Frames (PMF) which aims to provide data confidentiality of the management frames and protect wireless connectivity. This feature only works if both the access point and the client have MFP enabled.

There are certain restrictions for some wireless clients to communicate with MFP-enabled infrastructure devices. MFP adds a long set of information elements to each probe request or SSID beacon. Some wireless clients such as Personal Digital Assistants (PDAs), smartphones, barcode scanners, and so forth have limited memory and CPU so you are not able to process these requests or beacons. As a result, you fail to see the Service Set Identifier (SSID) entirely, or you are not able to associate with these infrastructure devices due to mismatch of SSID capabilities. This issue is not specific to MFP. This also occurs with any SSID that has multiple information elements (IEs). It is always recommended to test MFP-enabled SSIDs on the environment with all your available client types before you deploy it in real time.

This article provides instructions on how to configure MFP on your Wireless Access Point (WAP).

Note: Your wireless client or operating system may or may not support this feature. Check with your wireless device or operating system manufacturer for more details.

Applicable Devices

WAP100 Series – WAP150
WAP300 Series – WAP361, WAP371
WAP500 Series

Software Version

1.2.1.3 – WAP371, WAP551, WAP561
1.0.0.16 – WAP150, WAP361, WAP571, WAP571E

Configure MFP on a WAP

Important: Make sure that your wireless network has been configured before proceeding with the configuration steps.

Step 1. Log in to the access point web-based utility then choose Wireless > Networks.

Step 2. In the Radio area of the Networks page, click to choose a radio where your Service Set Identifier (SSID) is configured. Radios may vary depending on the WAP model that you have. In this example, Radio 2 (5 GHz) is chosen.

Note: If you have a WAP551, skip to Step 3. WAP551 is a single-band access point.

Step 3. Under the Virtual Access Points (SSIDs), check the check box of the SSID that you want to configure then click Edit.

Note: In this scenario, WAP571 is used.

Step 4. Click Show Details.

Step 5. In the WPA Versions area, check the WPA2-AES check box.

Step 6. (Optional) If the WPA-TKIP check box is checked in the WPA Versions area, uncheck to show the MFP options. The WPA-TKIP security does not support the MFP feature.

Step 7. In the MFP area, check the Required MFP check box.

The options are:

Not Required — Disables the client support for MFP.
Capable — Allows both MFP-capable and clients that do not support MFP to join the network. This is the default MFP setting on the WAP.
Required — Clients are allowed to associate only if MFP is negotiated. If the devices do not support MFP, they are not allowed to join the network.

Step 8. Click Save.