802.11w

Protected management frames with 802.11w

A protected management frame is a wireless security feature that

  • uses the 802.11w protocol to safeguard management frames

  • prevents spoofing and forgery of authentication, de-authentication, association, and disassociation frames, and

  • enhances the overall security of Wi-Fi networks by protecting key network management actions from attack.

While data frames can be encrypted, management frames were traditionally sent in the clear, making them vulnerable to interception and forgery. The 802.11w standard addresses this vulnerability by requiring cryptographic protection for certain management frames between client and access point.

An attacker attempting to disconnect a legitimate client by sending forged disassociation frames will fail on networks supporting protected management frames, as only cryptographically validated frames are accepted.

Types of management frames protected by 802.11w

The 802.11w protocol protects certain management frames by using the Protected Management Frames (PMF) service. These frames are classified as robust management frames and include:

  • Disassociation frames

  • De-authentication frames

  • Robust Action frames

Robust Action frames protected by 802.11w include:

  • Spectrum Management

  • Quality of Service (QoS)

  • Direct Link Setup (DLS)

  • Block acknowledgement

  • Radio Measurement

  • Fast Basic Service Set (BSS) Transition

  • Security Association (SA) Query

  • Protected Dual of Public Action

  • Vendor-specific Protected

Frames not included in this list are not protected by 802.11w.

Protections offered by 802.11w

When 802.11w is implemented, these protections are provided:

  • Client protection: The AP adds cryptographic protection to de-authentication and dissociation frames, preventing spoofing in DOS attacks.

  • Infrastructure protection: Security Association (SA) teardown protection is implemented using Association Comeback Time and SA-Query procedures to prevent spoofed association requests from disconnecting connected clients.

Integrity Group Temporal Key (IGTK)

An integrity group temporal key (IGTK) is a wireless security mechanism that

  • protects broadcast and multicast robust management frames.

  • uses random values assigned by the authenticator station (such as a wireless LAN controller), and

  • secures MAC management protocol data units (MMPDUs) in 802.11w networks.

Figure 1. IGTK Exchange in 4-way Handshake

802.11w introduced IGTKs to enhance the security of management frames in wireless networks.

How IGTK is used in 802.11w management frame protection (Process)

When management frame protection is negotiated, the AP encrypts the group temporal key (GTK) and IGTK values within an Extensible Authentication Protocol over LAN-Key frame, which is delivered as part of the third message in the 4-way handshake.

  • IGTK is exchanged during the 4-way handshake process.

  • If the AP later changes the GTK, it sends the new GTK and IGTK to the client using the Group Key Handshake.

Imagine a wireless network as a secured meeting room, with announcements broadcast to everyone inside. The IGTK acts like a special group password that lets only authorized members hear these important messages. The authenticator (such as a wireless LAN controller) is like the meeting organizer, who gives each member a random, unique password at the door. When the password changes for added security, the organizer discreetly shares the new password with all members so that only legitimate participants can continue to hear future group announcements.

Broadcast or multicast integrity protocol (BIP)

A broadcast or multicast integrity protocol (BIP) is a wireless security mechanism that

  • ensures data integrity of broadcast and multicast robust management frames

  • provides replay protection for these frames after successful establishment of an IGTKSA, and

  • adds a message integrity code (MIC) calculated using the shared IGTK key.

SA teardown protection

SA teardown protection is a wireless network security mechanism that

  • prevents spoofed or replay attacks from disconnecting already associated clients

  • uses Association Comeback Time and an SA-Query procedure to verify the authenticity of association requests, and

  • ensures the AP only accepts new associations after the original security association is proven invalid.

How association comeback time and SA query procedures work

This process describes the mechanisms that protect wireless client sessions from replay-based association teardown attacks using Association Comeback Time and SA Query procedures.

Summary

The key components involved in the process are:

  • Access Point (AP): Implements SA teardown protection and manages association requests.

  • Client Device: Maintains a security association and sends/receives association and SA Query frames.

  • SA Teardown Protection Mechanism: Provides the logic for handling replay and spoofed association attempts.

This process involves the AP and client device exchanging association and SA Query frames to validate security associations and prevent unauthorized session teardown.

Workflow

Figure 2. Association Reject with Comeback Time

These stages describe how the Association Comeback Time and SA Query procedures operate to protect client sessions:

  1. When an AP receives an Association Request from a client with an existing valid security association (SA) negotiated with 802.11w, the AP rejects the request with status code 30 (“Association request rejected temporarily; try again later”) and sends an Association Comeback Time.
  2. The AP does not modify the existing association during the comeback interval.
  3. If no ongoing SA Query session with the client exists, the AP sends SA Query requests repeatedly until it receives a valid SA Query response or the comeback time expires.
  4. Receipt of a matching SA Query response or a valid protected frame indicates a valid SA; the AP may then allow a new association attempt without further SA Query cycles.

Result

This process ensures that spoofed requests cannot disconnect valid clients, protecting against replay-based association teardown attacks.

Prerequisites for 802.11w

  • To configure 802.11w feature for optional and mandatory, you must have WPA and AKM configured.


    Note
    The RNS (Robust Secure Network) IE must be enabled with an AES Cipher.

Restrictions for 802.11w

  • You cannot use 802.11w with open WLANs, Wired Equivalent Privacy (WEP)-encrypted WLANs, or Temporal Key Integrity Protocol (TKIP)-encrypted WLANs.

  • You can use 802.11w with Protected Management Frames (PMF) for non-Apple clients. For Apple iOS version 11 and earlier, request a fix from Apple to resolve association issues

  • When clients do not use 802.11w PMF, the controller ignores disassociation frames or deauthentication frames they send. If a client uses PMF, its entry is deleted immediately when the controller receives such a frame. This process helps prevent denial-of-service attacks by malicious devices, since frames without PMF are not secure.

How to Configure 802.11w

Configuring 802.11w (GUI)

Before you begin

WPA and AKM must be configured.

Procedure

Step 1

Choose Configuration > Tags & Profiles > WLANs.

Step 2

Click Add to create WLANs.

The Add WLAN page is displayed.

Step 3

In the Security > Layer2 tab, navigate to the Protected Management Frame section.

Step 4

Choose PMF as Disabled, Optional, or Required. By default, the PMF is disabled.

If you choose PMF as Optional or Required, you get to view the following fields:

  • Association Comeback Timer—Enter a value between 1 and 10 seconds to configure 802.11w association comeback time.

  • SA Query Time—Enter a value between 100 to 500 (milliseconds). This is required for clients to negotiate 802.11w PMF protection on a WLAN.

Step 5

Click Save & Apply to Device.

Configuring 802.11w (CLI)

Before you begin

WPA and AKM must be configured.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name wlan-id ssid

Example:

Device(config)# wlan wlan-test 12 alpha

Configures a WLAN and enters configuration mode.

Step 3

security wpa akm dot1x-sha256

Example:

Device(config-wlan)#security wpa akm dot1x-sha256

Configures 802.1x support.

Step 4

security pmf association-comeback comeback-interval

Example:

Device(config-wlan)# security pmf association-comeback 10

Configures the 802.11w association comeback time.

Step 5

security pmf mandatory

Example:

Device(config-wlan)# security pmf mandatory

Requires clients to negotiate 802.11w PMF protection on a WLAN.

Step 6

security pmf saquery-retry-time timeout

Example:

Device(config-wlan)# security pmf saquery-retry-time 100

Time interval identified in milliseconds before which the SA query response is expected. If the device does not get a response, another SQ query is tried.

Disabling 802.11w

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wlan profile-name wlan-id ssid

Example:

Device(config)# wlan wlan-test 12 alpha

Configures a WLAN and enters configuration mode.

Step 3

no security wpa akm dot1x-sha256

Example:

Device(config-wlan)# no security wpa akm dot1x-sha256

Disables 802.1x support.

Step 4

no security pmf association-comeback comeback-interval

Example:

Device(config-wlan)# no security pmf association-comeback 10

Disables the 802.11w association comeback time.

Step 5

no security pmf mandatory

Example:

Device(config-wlan)# no security pmf mandatory

Disables client negotiation of 802.11w PMF protection on a WLAN.

Step 6

no security pmf saquery-retry-time timeout

Example:

Device(config-wlan)# no security pmf saquery-retry-time 100

Disables SQ query retry.

Monitoring 802.11w

Use the following commands to monitor 802.11w.

Procedure

Step 1

show wlan name wlan-name

Displays the WLAN parameters on the WLAN. The PMF parameters are displayed.


. . . . 
. . . .        
Auth Key Management
            802.1x                             : Disabled
            PSK                                : Disabled
            CCKM                               : Disabled
            FT dot1x                           : Disabled
            FT PSK                             : Disabled
            FT SAE                             : Disabled
            Dot1x-SHA256                       : Enabled
            PSK-SHA256                         : Disabled
            SAE                                : Disabled
            OWE                                : Disabled
            SUITEB-1X                          : Disabled
            SUITEB192-1X                       : Disabled
    CCKM TSF Tolerance                         : 1000
    FT Support                                 : Adaptive
        FT Reassociation Timeout               : 20
        FT Over-The-DS mode                    : Enabled
    PMF Support                                : Required
        PMF Association Comeback Timeout       : 1
        PMF SA Query Time                      : 500
. . . . 
. . . .

Step 2

show wireless client mac-address mac-address detail

Displays the summary of the 802.11w authentication key management configuration on a client.


. . . . 
. . . .        
Policy Manager State: Run
NPU Fast Fast Notified : No
Last Policy Manager State : IP Learn Complete
Client Entry Create Time : 497 seconds
Policy Type : WPA2
Encryption Cipher : CCMP (AES)
Authentication Key Management : 802.1x-SHA256
Encrypted Traffic Analytics : No
Management Frame Protection : No
Protected Management Frame - 802.11w : Yes
EAP Type : LEAP
VLAN : 39
Multicast VLAN : 0
Access VLAN : 39
Anchor VLAN : 0
WFD capable : No
Manged WFD capable : No
. . . . 
. . . .