Management frame protection, Overview, Protection of unicast management frames – Rockwell Automation 1783-WAPxxx Stratix 5100 Wireless Access Point User Manual User Manual
Page 397: Overview protection of unicast management frames
Rockwell Automation Publication 1783-UM006A-EN-P - May 2014
397
Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services
Chapter 13
Management Frame
Protection
Management Frame Protection provides security features for the management
messages passed between Access Point and Client stations. MFP consists of two
functional components: Infrastructure MFP and Client MFP.
Infrastructure MFP provides Infrastructure support. Infrastructure MFP utilizes
a message integrity check (MIC) across broadcast and directed management
frames that can assist in detection of rogue devices and denial of service attacks.
Client MFP provides client support. Client MFP protects authenticated clients
from spoofed frames, by preventing many of the common attacks against
WLANs from becoming effective.
Management Frame Protection operation requires a WDS and is available only
on 32 Mb platforms. MFP is configured at the WLSE, but you can configure
MFP on an access point and WDS manually.
For complete protection, you can also configure an MFP access point for Simple
Network Transfer Protocol (SNTP).
Overview
Client MFP encrypts class 3 management frames sent between access points and
CCXv5-capable client stations, so that both AP and client can take preventative
action by dropping spoofed class 3 management frames, for example,
management frames passed between an AP and a client station that is
authenticated and associated.
Client MFP leverages the security mechanisms defined by IEEE 802.11i to
protect class 3 Unicast management frames. The unicast cipher suite negotiated
by the STA in the reassociation request's RSNIE is used to protect both unicast
data and class 3 management frames. An access point in workgroup bridge,
repeater, or non-root bridge mode must negotiate either TKIP or AES-CCMP
to use Client MFP.
Protection of Unicast Management Frames
Unicast class 3 management frames are protected by applying either AES-CCMP
or TKIP in a similar manner to that already used for data frames. Client MFP is
enabled only for autonomous access points if the encryption is AES-CCMP or
TKIP and key management WPA version 2.
TIP
If a WLSE is not present, then MFP cannot report detected intrusions and so has
limited effectiveness. If a WLSE is present, you can perform the configuration
from the WLSE.