Saturday, October 10, 2009

MFP with WLC & LAP

[notes]
Client MFP is supported on v4.1.171.0 and above.
Version 4.0.2.206.0 provides optimal performance with MFP.

MFP adds a long set of information elements to each probe request or SSID beacon.  Some clients cannot process ths information and may not be able to assicate to an SSID with MFP enabled.

The AP addes a MIC IE to each management frame.
NTP must be used to ensure timestamp synchronization

The MIC is added to the end of the frame before the FCS.

Infrasturcture MFP is enabled/disabled on the WLC globally.
Protection can be disabled per AP.
 - protection: disable on WLANS with devices that cannot cope with extra IEs
 - validation: disable on APs that are overloaded/overpowered.

Client MFP Functionality
Encrypts management frames ent between APs and CCXv5 clients so they can drop class 3 management frames (disassociation, deauthentication and QoS/WMM actions)
Clients must support CCXv5 MFP and must negotiate WPA2 with either TKIP or AES-CCMP.
EAP or PSK can be used to obtain the PMK.
CCKM and controller mobility management are used to distribute session keys between APs or L2 and L3 fast roaming.
CCXv5 clients do not emit any broadcast class 3 management frames.

Client MFP does not use the key generation and distribution mechanisms that were derived for Infrastructure MFP.  Instead, client MFP leverages the security mechanisms defined by IEEE 802.11i to also protect class 3 unicast management frames.

AES-CCMP and TKIP protected frames include a sequence counter in the IV fields.

The current transmit counter is used for both data and management frames, but a new receive counter is used for management frames.

MFP-1 reporting mechanisms are sued to report management frame de-encapsulation errors detected by APs.  The WLC collects MFP validation errors & forwards collated information to WCS.

Clients that are not CCXv5 can assciate with an MFP-2 WLAN.  The APs keep track of thse MFP-2 clients and determine whether MFP-2 security measures are applied to outobund unicast management frames and expected on inbound unicast management frames.

MFP is not supported on APs in rgoue-detection or sniffer-mode.

If Client MFP is required, all clients must support MFP-2 or they are unable to connect to the WLAN.

Controller Menu>Security>Wireless Protection Policies>Management Frame Protection
   controller time source valid = false (this indicates the time on the WLC is set locally)

show wps summary
show wps mfp summary
show ap config general [ap-name]

debug wps mfp lwapp
debug wps mfp detail
debug wps mfp report
debug wps mfp mm

No comments:

Post a Comment