5-67
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 5 Configuring Security Solutions
Configuring Management Frame Protection
Infrastructure MFP consists of three main components:
•
Management frame protection
—The access point protects the management frames it transmits by
adding a MIC IE to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC,
causing any receiving access point configured to detect MFP frames to report the discrepancy.
•
Management frame validation
—In infrastructure MFP, the access point validates every
management frame that it receives from other access points in the network. It ensures that the MIC
IE is present (when the originator is configured to transmit MFP frames) and matches the content of
the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID
belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to
the network management system. In order for the timestamps to operate properly, all controllers
must be Network Transfer Protocol (NTP) synchronized.
•
Event reporting
—The access point notifies the controller when it detects an anomaly, and the
controller aggregates the received anomaly events and can report the results through SNMP traps to
the network management system.
Note
Error reports generated on a hybrid-REAP access point in stand-alone mode cannot be
forwarded to the controller and are dropped.
Note
Client MFP uses the same event reporting mechanisms as infrastructure MFP.
Infrastructure MFP is enabled by default and can be disabled globally. When you upgrade from a
previous software release, infrastructure MFP is disabled globally if access point authentication is
enabled because the two features are mutually exclusive. Once infrastructure MFP is enabled globally,
signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and
validation can be disabled for selected access points.
Client MFP is enabled by default on WLANs that are configured for WPA2. It can be disabled, or it can
be made mandatory (in which case only clients that negotiate MFP are allowed to associate) on selected
WLANs.
You can configure MFP through either the GUI or the CLI.
Guidelines for Using MFP
Follow these guidelines for using MFP:
•
MFP is supported for use with Cisco Aironet lightweight access points.
•
Lightweight access points support infrastructure MFP in local and monitor modes and in
hybrid-REAP mode when the access point is connected to a controller. They support Client MFP in
local, hybrid-REAP, and bridge modes.
•
Client MFP is supported for use only with CCXv5 clients using WPA2 with TKIP or AES-CCMP.
•
Non-CCXv5 clients may associate to a WLAN if client MFP is disabled or optional.