One method of Management Frame Protection (MFP) is Infrastructure MFP. With this method, each management frame includes a cryptographic hash called a Message Integrity Check (MIC). The MIC is added to each frame before the Frame Check Sequence (FCS). When this is enabled, each WLAN has a unique key sent to each radio on the AP. Then, the AP sends management frames, and the network knows that this AP is in protection mode. If the frame were altered, or if someone spoofs the SSID of the WLAN and doesn't have the unique key, it invalidates the message. This causes other APs that hear the invalid frames to report them to the controller.
The other method of MFP is called Client MFP. If the client is running Cisco Compatible Extensions (CCX) 5 or better, it can talk to the AP and find out what the MIC is. Then it can verify management frames it hears in addition to the APs that provide this function. The major benefit of this mode is the extension of detection. In Figure 17-1, the APs are in the middle of the network, and clients are on the outside. The clients can detect the AP called BAD_AP that is generating invalid frames, even though BAD_AP is out of the range of the APs that are in protection mode.
With MFP version 1, all local mode APs are protectors. They digitally sign all frames they send. Any other AP, or the same local mode AP, for that matter, could be a validator.
With MFP version 2, clients must run the Cisco Secure Services Client (CSSC) or a client that is capable of CCXv5. This enables the client to hear the rogue and report illegitimate frames. You don't have to worry about your client associating with the rogue AP, because it drops invalid frames.
Client MFP has another benefit. Suppose a neighboring AP performed containment as a denial-of-service (DoS) method against your network because it's a deauthentication frame that is used for containment. The client would see that the containment frame doesn't have the MIC and would ignore the deauthentication frame. This would keep people from containing your network as a form of DoS attack.
Was this article helpful?