This document covers details about IEEE 802.11w management frame protection standard and how it can be configured on the Cisco Wireless LAN Controller (WLC).
Cisco recommends that you have knowledge of Cisco WLC that runs code 7.6 or higher.
The information in this document is based on WLC 5508 that runs code 7.6.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The 802.11w standard aims to protect control and management frames and a set of robust management frames against forgery and replay attacks. The frame types protected include Disassociation, Deauthentication, and Robust Action frames such as:
Quality of Service (QoS)
Fast Basic Service Set (BSS) Transition
802.11w does not encrypt the frames, however it protects the management frames. It ensures that the messages come from legitimate sources. In order to do that, you have to add a Message Integrity Check (MIC) element. 802.11w has introduced a new key called Integrity Group Temporal Key (IGTK), which is used to protect broadcast/multicast robust management frames. This is derived as part of the four way key handshake process used with Wireless Protected Access (WPA). This makes dot1x/Pre-Shared Key (PSK) a requirement when you need to use 802.11w. It cannot be used with open/webauth Service Set Identifier (SSID's).
When Management Frame Protection is negotiated, the Access Point (AP) encrypts the GTK, and IGTK values in the EAPOL-Key frame which is delivered in Message 3 of the 4-way handshake. If the AP later changes the GTK, it sends the new GTK and IGTK to the client with the use of the Group Key Handshake. It adds a MIC that is calculated with the use of the IGTK key.
Management MIC Information Element (MMIE)
802.11w introduces a new information element called Management MIC information element. It has the header format as shown in the image.
The main fields of concern here are element ID and MIC. The element ID for MMIE is 0x4c and it serves as a useful identification when you analyze the wireless captures.
Note: MIC - It contains the message integrity code calculated over the Management frame. It is important to note that this is added at the AP. The receiving client then re-computes the MIC for the frame and compares it with what was sent by the AP. If the values are different this is rejected as an invalid frame.
Changes to RSN IE
Robust Security Network Information Element (RSN IE) specifies the security parameters supported by the AP. 802.11w introduces a Group Management Cipher suite selector to RSN IE that contains the cipher suite selector used by the AP to protect broadcast/multicast robust management frames. This is the best way to know if an AP does 802.11w or not. This can also be verified as shown in the image.
Here, you find the group management cipher suite field which shows that 802.11w is used.
There were changes also made under RSN capabilities. The bits 6 and 7 are now used to indicate different parameters for 802.11w.
Bit 6: Management Frame Protection Required (MFPR) - A STA sets this bit to 1 to advertise that protection of Robust Management Frames is mandatory.
Bit 7: Management Frame Protection Capable (MFPC) - A STA sets this bit to 1 to advertise that protection of Robust Management Frames is enabled. When the AP sets this, it informs that it supports management frame protection.
If you set management frame protection as required under the configuration options then both bit 6 and 7 is set. This is as shown in the packet capture image here.
However, if you set this to optional then only bit 7 is set, as shown in the image.
Note: The WLC adds this modified RSN IE in association/re-association responses and the AP's add this modified RSN IE in beacons and probe responses.
Benefits of 802.11w Management Frame Protection
This is achieved by addition of cryptographic protection to Deauthentication and Disassociation frames. This prevents an unauthorized user to launch a Denial of Service (DOS) attack by spoofing MAC address of legitimate users and send deauth/disassociation frames.
Infrastructure side protection is added by addition of a Security Association (SA) teardown protection mechanism which consists of an Association Comeback Time and an SA-Query procedure. Prior to 802.11w, if an AP received either an Association or Authentication request from an already associated client, the AP terminates the existing connection and then start a new connection. When you use 802.11w MFP, if the STA is associated and has negotiated Management Frame Protection, the AP rejects the Association Request with return status code 30 Association request rejected temporarily; Try again later to the client.
Included in the Association Response is an Association Comeback Time information element which specifies a comeback time when the AP would be ready to accept an association with this STA. This way you can ensure that legitimate clients are not disassociated due to a spoofed association request.
Note: The WLC (AireOS or 9800) will ignore disassociation or deauthetnication frames sent by the clients if they are not using 802.11w PMF. The client entry will only get deleted immediately upon reception of such a frame if the client uses PMF. This is to avoid denial of service by malicious device since there is no security on those frames without PMF.
Requirements to Enable 802.11w
802.11w requires the SSID to be configured with either dot1x or PSK.
802.11w is supported on all 802.11n capable AP's. This means that AP 1130 and 1240 do not support 802.11w.
802.11w is not supported on flexconnect AP's and 7510 WLC's in the 7.4 release. Support has been added since the 7.5 release.
Step 1. You need to enable protected management frame under the SSID configured with 802.1x/PSK. You have three options as shown in the image.
Required specifies that a client which does not support 802.11w is not allowed to connect. Optional specifies that even clients that do not support 802.11w is allowed to connect.
Step 2. You then need to specify the Comeback timer and SA query timeout. Comeback timer specifies the time which an associated client must wait before the association can be tried again when first denied with a status code 30. SA query timeout specifies the amount of time the WLC waits for a response from the client for the query process. If there is no response from the client, its association is deleted from the controller. This is done as shown in the image.
Step 3. You need to enable 'PMF 802.1x' if you use 802.1x as the authentication key management method. In case you use PSK, you need to select the PMF PSK checkbox as shown in the image.
In order to enable or disable the 11w feature run the command: