Management Frame Protection (MFP) on WLC.


MFP is a manner to try attackers to be unable to spoof management frames.
All 802.11 management frames are normally sent in an unsecure way.

When MFP is enabled, AP adds MIC IE to each management frame. Als the AP validates every managemt frame that it receives from an other AP in the network. If the frames doesn’t include valid MIC IE, it will be reported to the WCS.

As always time is very important, so a NTP master in your network is recommended.

Only the following modes support Client MFPs
Local, H-REAP,Bridge Root.

You can enable MFP globally :
mfp_WPP

Once MFP is enabled on the controller, you can disable and re-enable if for WLAN and AP.
MFP_AP
MFP_Wlan

Client MFP is not active unless WPA2 is configured.

You can verify your settings by typing the command :
(Cisco Controller) >show wps mfp summary

Global Infrastructure MFP state……………… DISABLED (*all infrastructure settings are overridden)
Controller Time Source Valid………………… False

WLAN Infra. Client
WLAN ID WLAN Name Status Protection Protection
——- ————————- ——— ———- ———-
1 lab Disabled *Enabled Optional
2 HQ_APGroup Enabled *Enabled Optional
3 WGB Enabled *Enabled Optional but inactive (WPA2 not configured)

Infra. Operational –Infra. Capability–
AP Name Validation Radio State Protection Validation
——————– ———- —– ————– ———- ———-
AP_1242_4 *Enabled b/g Up Full Full
a Up Full Full

show ap config general AP_1242_4

Management Frame Protection Validation……….. Enabled (Global MFP Disabled)

Tags: ,

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: