Infrastructure MFP – Part 2

To prevent attacks using broadcast frames, access points supporting CCXv5 will not emit any broadcast class 3 management frames (such as disassociation, deauthentication, or action). CCXv5 clients and access points must discard broadcast class 3 management frames.

Client MFP supplements infrastructure MFP rather than replaces it because infrastructure MFP continues to detect and report invalid unicast frames sent to clients that are not client-MFP capable as well as invalid class 1 and 2 management frames. Infrastructure MFP is applied only to management frames that are not protected by client MFP. Infrastructure MFP consists of three main components:

 

Infrastructure MFP consists of three main components:

Management frame protection—The access point protects the management frames it transmits by adding
a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing
any receiving access point configured to detect MFP frames to report the discrepancy. MFP is supported
for use with Cisco Aironet lightweight access points.

• Management frame validation—In infrastructure MFP, the access point validates every management
frame that it receives from other access points in the network. It ensures that the MIC IE is present (when
the originator is configured to transmit MFP frames) and matches the content of the management frame.
If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point
that is configured to transmit MFP frames, it reports the discrepancy to the network management system.
In order for the timestamps to operate properly, all controllers must be Network Time Protocol (NTP)
synchronized.

• Event reporting—The access point notifies the controller when it detects an anomaly, and the controller
aggregates the received anomaly events and can report the results through SNMP traps to the network
management system.

Note Client MFP uses the same event reporting mechanisms as infrastructure MFP.
Infrastructure MFP is disabled by default and can be enabled globally. When you upgrade from a previous
software release, infrastructure MFP is disabled globally if access point authentication is enabled because the
two features are mutually exclusive. Once infrastructure MFP is enabled globally, signature generation (adding
MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for selected
access points.

Client MFP is enabled by default on WLANs that are configured for WPA2. It can be disabled, or it can be
made mandatory (in which case, only clients that negotiate MFP are allowed to associate) on selected WLANs

Restrictions for Management Frame Protection

• Lightweight access points support infrastructure MFP in local and monitor modes and in FlexConnect
mode when the access point is connected to a controller. They support client MFP in local, FlexConnect,
and bridge modes.

• OEAP 600 Series Access points do not support MFP.

• Client MFP is supported for use only with CCXv5 clients using WPA2 with TKIP or AES-CCMP.

• Non-CCXv5 clients may associate to a WLAN if client MFP is disabled or optional.

• Error reports generated on a FlexConnect access point in standalone mode cannot be forwarded to the
controller and are dropped.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.