Management frame protection (MFP) provides security for the otherwise unprotected and unencrypted 802.11 management messages passed between access points and clients.
MFP provides both infrastructure and client support.
• Infrastructure MFP—Protects management frames by detecting adversaries that are invoking
denial-of-service attacks, flooding the network with associations and probes, interjecting as rogue access
points, and affecting network performance by attacking the QoS and radio measurement frames.
Infrastructure MFP is a global setting that provides a quick and effective means to detect and report phishing incidents.
Specifically, infrastructure MFP protects 802.11 session management functions by adding message
integrity check information elements (MIC IEs) to the management frames emitted by access points (and
not those emitted by clients), which are then validated by other access points in the network. Infrastructure
MFP is passive. It can detect and report intrusions but has no means to stop them.
• Client MFP—Shields authenticated clients from spoofed frames, preventing many of the common attacks
against wireless LANs from becoming effective. Most attacks, such as deauthentication attacks, revert
to simply degrading performance by contending with valid clients.
Specifically, client MFP encrypts management frames are sent between access points and CCXv5 clients so that both the access points and clients can take preventative action by dropping spoofed class 3 management frames (that is, management frames passed between an access point and a client that is authenticated and associated).
Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect the following types of class 3 unicast management frames: disassociation, deauthentication, and QoS (WMM) action.
Client MFP protects a client-access point session from the most common type of denial-of-service attack. It protects class 3 management frames by using the same encryption method used for the session’s data frames. If a frame received by the access point or client fails decryption, it is dropped, and the event is reported to the controller.
To use client MFP, clients must support CCXv5 MFP and must negotiate WPA2 using either TKIP or
AES-CCMP. EAP or PSK may be used to obtain the PMK. CCKM and controller mobility management
are used to distribute session keys between access points for Layer 2 and Layer 3 fast roaming.