Management Frame Protection (MFP) on WLC.
MFP is a manner to try attackers to be unable to spoof management frames.
All 802.11 management frames are normally sent in an unsecure way.
When MFP is enabled, AP adds MIC IE to each management frame. Als the AP validates every managemt frame that it receives from an other AP in the network. If the frames doesn’t include valid MIC IE, it will be reported to the WCS.
As always time is very important, so a NTP master in your network is recommended.
Only the following modes support Client MFPs
Local, H-REAP,Bridge Root.
You can enable MFP globally :
Once MFP is enabled on the controller, you can disable and re-enable if for WLAN and AP.
Client MFP is not active unless WPA2 is configured.
You can verify your settings by typing the command :
(Cisco Controller) >show wps mfp summary
Global Infrastructure MFP state……………… DISABLED (*all infrastructure settings are overridden)
Controller Time Source Valid………………… False
WLAN Infra. Client
WLAN ID WLAN Name Status Protection Protection
——- ————————- ——— ———- ———-
1 lab Disabled *Enabled Optional
2 HQ_APGroup Enabled *Enabled Optional
3 WGB Enabled *Enabled Optional but inactive (WPA2 not configured)
Infra. Operational –Infra. Capability–
AP Name Validation Radio State Protection Validation
——————– ———- —– ————– ———- ———-
AP_1242_4 *Enabled b/g Up Full Full
a Up Full Full
show ap config general AP_1242_4
Management Frame Protection Validation……….. Enabled (Global MFP Disabled)