The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Wi-Fi is a broadcast medium that enables any device to eavesdrop and participate either as a legitimate or rogue device. Management frames such as authentication, de-authentication, association, dissociation, beacons, and probes are used by wireless clients to initiate and tear down sessions for network services. Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, an attacker could spoof management frames from an AP to attack a client associated with the AP.
This document aims to provide answers to the frequently asked questions about Management Frame Protection (MFP).
Management frames are broadcast frames used by IEEE 802.11 to permit a wireless client to negotiate with a Wireless Access Point (WAP). MFP provides security for unencrypted broadcast frames and management messages passed between wireless devices.
In IEEE 802.11, management frames such as deauthentication, disassociation, beacons, and probes are always unauthenticated and unencrypted. The WAP adds Message Integrity Check Information Element (MIC IE) to each management frame it transmits. Any attempt to copy, alter, or replay the frame invalidates the MIC.
3. What are some of the things an attacker can do on a network with MFP disabled?
These are the two types of MFPs:
5. What are the components of Infrastructure MFP?
Infrastructure MFP has 3 components:
Note: In order for the timestamps to operate properly, all Wireless LAN Controllers (WLC) must be Network Time Protocol (NTP) synchronized.
Specifically, client MFP encrypts management frames sent between access points and Cisco Compatible Extension version 5 (CCXv5) clients so that both the access points and clients can take preventative action by dropping spoofed class 3 management frames (that is, management frames passed between an access point and a client that is authenticated and associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect the following types of class 3 unicast management frames: disassociation, de-authentication, and QoS (Wireless Multimedia Extenions or WMM) action. Client MFP protects a client-access point session from the most common type of denial-of-service attack. It protects class 3 management frames by using the same encryption method used for the session data frames. If a frame received by the access point or client fails decryption, it is dropped, and the event is reported to the controller.
To use client MFP, clients must support CCXv5 MFP and must negotiate Wi-Fi Protected Access version 2 (WPA2) using either Temporal Key Integrity Protocol (TKIP) or Advanced Encryption Standard-Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Extensible Authentication Protocol (EAP) or Pre-Shared Key (PSK) may be used to obtain the PMK. CCKM and controller mobility management are used to distribute session keys between access points for Layer 2 and Layer 3 fast roaming.
8. What are the components of Client MFP?
There are 3 components of Client MFP:
– Disassociation frames — A request to a client or WAP to disconnect or disassociate an authentication relationship.
– De-authentication frames — A request to a client or WAP to disconnect or disassociate an association relationship.
– QoS WMM action — WMM parameter is added to the beacon, probe response, and association response frames.
Note: MFP violation errors detected by client stations are handled by the CCXv5 Roaming and Real Time Diagnostics feature.
9. Why can’t my mobile device connect to the MFP enabled infrastructure device?
There are certain restrictions for some wireless clients to communicate with MFP-enabled infrastructure devices. MFP adds a long set of information elements to each probe request or SSID beacon. Some wireless clients such as PDAs, smartphones, barcode scanners, and so forth have limited memory and Central Processing Unit (CPU). So, you are not able to process these requests or beacons. As a result, you fail to see the SSID entirely, or you are not able to associate with these infrastructure devices, due to a misunderstanding of SSID capabilities. This issue is not specific to MFP. This also occurs with any SSID that has multiple information elements (IEs). It is always advisable to test MFP-enabled SSIDs on the environment with all your available client types before you deploy it in real time.
10. What is Broadcast Management Frame Protection?
In order to prevent attacks that use broadcast frames, APs that support CCXv5 does not transmit any broadcast class 3 management frames except for rogue containment de-authentication or disassociation frames. CCXv5 capable client stations must discard broadcast class 3 management frames. MFP sessions are assumed to be in a properly secured network (strong authentication plus TKIP or CCMP) so the disregard for rogue containment broadcasts is not an issue.
11. How to configure MFP on a Wireless Access Point (WAP)?
To learn how to configure MFP on a WAP, click here.
12. How to configure an Intel Wireless Network Card to connect to an MFP-enabled Network
To learn how to configure the Intel Wireless Network Card, click here.