12-26
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-29225-01
Chapter 12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection
Configuring Management Frame Protection
Management Frame Protection operation requires a WDS and is available on 32 Mb platforms only
(1130, 1140, 1240, 1250 series access points, and 1300 series access points in AP mode). MFP is
configured at the WLSE, but you can configure MFP on an access point and WDS manually.
Note If a WLSE is not present, then MFP cannot report detected intrusions and so has limited effectiveness.
If a WLSE is present, you should perform the configuration from the WLSE.
For complete protection, you should also configure an MFP access point for Simple Network Transfer
Protocol (SNTP).
Overview
Client MFP encrypts class 3 management frames sent between access points and CCXv5-capable client
stations, so that both AP and client can take preventative action by dropping spoofed class 3 management
frames (i.e. management frames passed between an AP and a client station that is authenticated and
associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect class 3
Unicast management frames. The unicast cipher suite negotiated by the STA in the reassociation
request's RSNIE is used to protect both unicast data and class 3 management frames. An access point in
workgroup bridge, repeater, or non-root bridge mode must negotiate either TKIP or AES-CCMP to use
Client MFP.
Protection of Unicast Management Frames
Unicast class 3 management frames are protected by applying either AES-CCMP or TKIP in a similar
manner to that already used for data frames. Client MFP is enabled for autonomous access points only
if the encryption is AES-CCMP or TKIP and key management WPA Version 2.
Protection of Broadcast Management Frames
In order to prevent attacks using broadcast frames, access points supporting CCXv5 do not emit any
broadcast class 3 management frames. An access point in workgroup bridge, repeater, or non-root bridge
mode discards broadcast class 3 management frames if Client MFP is enabled.
Client MFP is enabled for autonomous access points only if the encryption is AES-CCMP or TKIP and
key management WPA Version 2.
Client MFP For Access Points in Root mode
Autonomous access points in root mode support mixed mode clients. Clients capable of CCXv5 with
negotiated cipher suite AES or TKIP with WPAv2 are Client MFP enabled. Client MFP is disabled for
clients which are not CCXv5 capable. By default, Client MFP is optional for a particular SSID on the
access point, and can be enabled or disabled using the CLI in SSID configuration mode.
Client MFP can be configured as either required or optional for a particular SSID. To configure Client
MFP as required, you must configure the SSID with key management WPA Version 2 mandatory. If the
key management is not WPAv2 mandatory, an error message is displayed and your CLI command is