Table of Contents
Advertisement
Understanding Management Frame Protection
Protection of Unicast Management Frames
Unicast class 3 management frames are protected by applying either AES-CCMP or TKIP in a manner
that is similar to that used for data frames. Client MFP is enabled for autonomous APs only if the
encryption is AES-CCMP or TKIP and key management is Wi-Fi Protected Access version 2 (WPA2).
Protection of Broadcast Management Frames
To prevent attacks using broadcast frames, APs that support CCXv5 do not emit any broadcast class 3
management frames. An AP in workgroup bridge mode, repeater mode, or non-root bridge mode
discards broadcast class 3 management frames if Client MFP is enabled.
Client MFP is enabled for autonomous APs only if the encryption is AES-CCMP or TKIP and key
management is WPA2.
Client MFP For Access Points in Root mode
Autonomous APs in root mode support mixed-mode clients. Clients capable of CCXv5 with negotiated
cipher suite AES or TKIP with WPA2 are Client MFP enabled. Client MFP is disabled for clients that
are not CCXv5 capable. By default, Client MFP is optional for a particular service set identifier (SSID)
on the AP. Client MFP an be enabled or disabled by using the command-line interface (CLI) in SSID
configuration mode.
Client MFP can be configured as either required or optional for a particular SSID. To configure Client
MFP as required, you must configure the SSID with key management WPA2 mandatory. If the key
management is not WPA2 mandatory, an error message is displayed and your CLI command is rejected.
If you attempt to change the key management with Client MFP configured as required and key
management WPA2, an error message is displayed and your CLI command is rejected. When configured
as optional, Client MFP is enabled if the SSID is capable of WPA2; otherwise, Client MFP is disabled.
Configuring Client MFP
The following CLI commands are used to configure Client MFP for APs in root mode.
•
•
•
•
Cisco 3200 Series Wireless MIC Software Configuration Guide
2
ids mfp client required
This SSID configuration command enables Client MFP as required on a particular SSID. The
dot11radio interface is reset when the command is executed. The command also assumes that the
SSID is configured with WPA2 mandatory. If the SSID is not configured with WPAv2 mandatory,
an error message is displayed and the command is rejected.
no ids mfp client
This SSID configuration command disables Client MFP on a particular SSID. The dot11radio
interface is reset when the command is executed.
ids mfp client optional
This SSID configuration command enables Client MFP as optional on a particular SSID. The
dot11radio interface is reset when the command is executed. Client MFP is enabled for this
particular SSID if the SSID is WPA2 capable; otherwise, Client MFP is disabled.
show dot11 ids mfp client statistics
Use this command to display Client MFP statistics on the AP console for a dot11radio interface.
Management Frame Protection
Hide quick links:
Advertisement
Table of Contents
