Table of Contents
Advertisement
Management Frame Protection
This document describes how to configure Management Frame Protection (MFP).
Understanding Management Frame Protection
Management Frame Protection provides security for the management messages passed between access
point (AP) and Client stations. MFP consists of two functional components: Infrastructure MFP and
Client MFP.
Infrastructure MFP provides infrastructure support. Infrastructure MFP utilizes a message integrity
check (MIC) across broadcast and directed management frames. This check assists in detecting of rogue
devices and denial-of-service attacks. Client MFP provides client support.
Client MFP protects authenticated clients from spoofed frames, by preventing many of the common
attacks against WLANs from becoming effective.
Management Frame Protection operation requires a wireless domain service (WDS). MFP is configured
at the wireless LAN solution engine (WLSE), but you can manually configure MFP on an AP and WDS.
If a WLSE is not present, then MFP cannot report detected intrusions and thus has limited effectiveness.
Note
If a WLSE is present, you should perform the configuration from the WLSE.
For complete protection, you should also configure an MFP AP for Simple Network Time Protocol
(SNTP).
Client MFP encrypts class 3 management frames sent between APs and Cisco Compatible Extension
version 5 (CCXv5)—capable client stations, so that both AP and client can take preventive action by
dropping spoofed class 3 management frames (management frames) that are passed between an AP and
a client station that is authenticated and associated). Client MFP leverages the security mechanisms
defined by IEEE 802.11i to protect class 3 unicast management frames. The unicast cipher suite that is
negotiated by the STA in the reassociation request's Robust Security Network Information Element
(RSNIE) is used to protect both unicast data and class 3 management frames. An AP in workgroup bridge
mode, repeater mode, or no-root bridge mode must negotiate either Temporal Key Integrity Protocol
(TKIP) or Advanced Encryption Standard-Cipher Block Chaining Message Authentication Code
Protocol (AES-CCMP) to use Client MFP.
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2008 Cisco Systems, Inc. All rights reserved.
Hide quick links:
Advertisement
Table of Contents
