10-08-2013 03:44 AM - edited 07-04-2021 01:02 AM
Hi
I am using WLC 5008 with 7.4.110.0 version and we have also PRIME 1.3 in our netowrk.
We are getting an error the MFP should be reuired in dot1x.
"
Set "MFP Client Protection" to "Required" to protect against clients connecting to a rogue AP."
Can we set to reuired for SSID ? what are the disadvantages of doing this ?
SSID is using EAP-TLS for authentication.
Solved! Go to Solution.
10-08-2013 04:21 AM
HI Punit,
I have same setutp as u have 5008 WLC(we have 2504).
You can choose as "Optional".(This is by default)
If you want then you can also choose "Required"
Select Disabled, Optional, or Required.
Client MFP will only be active for a session if the client supports CCX (Cisco Compatible eXtensions) MFP, and if WPA2 is negotiated with the client. If Optional is selected, clients that do not negotiate MFP will be allowed to associate. If Required is selected, only clients that successfully negotiate MFP will be allowed to associate.
"http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml" ........
With MFP, all management frames are cryptographically hashed to create a Message Integrity Check (MIC). The MIC is added to the end of the frame (before the Frame Check Sequence (FCS)).
*In a centralized wireless architecture, infrastructure MFP is enabled/disabled on the WLC (global config). Protection can be selectively disabled per WLAN, and validation can be selectively disabled per AP.
....More INformation:
http://www.giga-wave.com/techtips-love-wireless-lan.asp
Hope it helps.
Regards
10-08-2013 04:21 AM
HI Punit,
I have same setutp as u have 5008 WLC(we have 2504).
You can choose as "Optional".(This is by default)
If you want then you can also choose "Required"
Select Disabled, Optional, or Required.
Client MFP will only be active for a session if the client supports CCX (Cisco Compatible eXtensions) MFP, and if WPA2 is negotiated with the client. If Optional is selected, clients that do not negotiate MFP will be allowed to associate. If Required is selected, only clients that successfully negotiate MFP will be allowed to associate.
"http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml" ........
With MFP, all management frames are cryptographically hashed to create a Message Integrity Check (MIC). The MIC is added to the end of the frame (before the Frame Check Sequence (FCS)).
*In a centralized wireless architecture, infrastructure MFP is enabled/disabled on the WLC (global config). Protection can be selectively disabled per WLAN, and validation can be selectively disabled per AP.
....More INformation:
http://www.giga-wave.com/techtips-love-wireless-lan.asp
Hope it helps.
Regards
10-08-2013 09:04 AM
Thanks Sandeep
But how would i know that client supports CCX ?
Actually i dont want a situation where client do not associate to my wireless netwrok.
10-08-2013 11:30 PM
Hi Punit,
If you do
show client detail
Then you can see the if client is supported or not.
But in my case i choosed " optional ".
Disabled turns off client support for MFP.
Optional enables client devices to participate as validator devices if they are capable, but still allows clients that cannot support MFP to participate in the network.
The Required setting makes client MFP support mandatory-devices which don’t support MFP will not be allowed to join the network.
Hope it helps.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: