12-22
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wi reless Intrusion Detection
Configuring Management Frame Protection
associated). Client MFP leverages the security mechanisms defined by IEEE 802.11i to protect class 3
Unicast management frames. The unicast cipher suite negotiated by the STA in the reassociation
request's RSNIE is used to protect both unicast data and class 3 management frames. An access point in
workgroup bridge, repeater, or non-root bridge mode must negotiate either TKIP or AES-CCMP to use
Client MFP.
Unicast class 3 management frames are protected by applying either AES-CCMP or TKIP in a similar
manner to that already used for data frames. Client MFP is enabled for autonomous access points only
if the encryption is AES-CCMP or TKIP and key management WPA Version 2.
In order to prevent attacks using broadcast frames, access points supporting CCXv5 and configured for
Client MFP, do not emit any broadcast class 3 management frames. An access point in workgroup bridge,
repeater, or non-root bridge mode discards broadcast class 3 management frames if Client MFP is
enabled.
Client MFP is enabled for autonomous access points only if the encryption is AES-CCMP or TKIP and
key management WPA Version 2.
Note Cisco recommends using WPA2, and not implementing TKIP with WPA version 2, as this mode is being
deprecated.
Client MFP For Access Points in Root mode
Autonomous access points in root mode support mixed mode clients. Clients capable of CCXv5 with
negotiated cipher suite AES or TKIP with WPAv2 are Client MFP enabled. Client MFP is disabled for
clients which are not CCXv5 capable. By default, Client MFP is optional for a particular SSID on the
access point, and can be enabled or disabled using the CLI in SSID configuration mode.
Client MFP can be configured as either required or optional for a particular SSID. To configure Client
MFP as required, you must configure the SSID with key management WPA Version 2 mandatory. If the
key management is not WPAv2 mandatory, an error message is displayed and your CLI command is
rejected. If you attempt to change the key management with Client MFP configured as required and key
management WPAv2, an error message displays and rejects your CLI command. When configured as
optional, Client MFP is enabled if the SSID is capable of WPAv2, otherwise Client MFP is disabled.