Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7116
Views
0
Helpful
3
Replies

MFP client protection is optional by default

Go to solution
Puneet Gupta
Level 1
Level 1

‎10-08-2013 03:44 AM - edited ‎07-04-2021 01:02 AM

Hi

I am using WLC 5008 with 7.4.110.0 version and we have also PRIME 1.3 in our netowrk.

We are getting an error the MFP should be reuired in dot1x.

"

Set "MFP Client Protection" to "Required" to protect against clients connecting to a rogue AP."

Can we set to reuired for SSID ? what are the disadvantages of doing this ?

SSID is using EAP-TLS for authentication.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎10-08-2013 04:21 AM

HI Punit,

I have same setutp as u have 5008 WLC(we have 2504).

You can choose as "Optional".(This is by default)

If you want then you can also choose "Required"

WLAN SSID on the controller has MFP Client Protection set to "Optional".

With MFP Client Protection set to optional for a WLAN, authenticated clients may not be shielded from spoofed frames.

Set MFP Client Protection to "Required" to protect against clients connecting to a rogue access point.

Select Disabled, Optional, or Required.

Client  MFP will only be active for a session if the client supports CCX (Cisco  Compatible eXtensions) MFP, and if WPA2 is negotiated with the client.  If Optional is selected, clients that do not negotiate MFP will be  allowed to associate. If Required is selected, only clients that  successfully negotiate MFP will be allowed to associate.

"http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml" ........

With  MFP, all management frames are cryptographically hashed to create a  Message Integrity Check (MIC). The MIC is added to the end of the frame  (before the Frame Check Sequence (FCS)).
   *In a centralized  wireless architecture, infrastructure MFP is enabled/disabled on the WLC  (global config). Protection can be selectively disabled per WLAN, and  validation can be selectively disabled per AP.

....More INformation:

http://www.giga-wave.com/techtips-love-wireless-lan.asp

Hope it helps.

Regards

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎10-08-2013 04:21 AM

HI Punit,

I have same setutp as u have 5008 WLC(we have 2504).

You can choose as "Optional".(This is by default)

If you want then you can also choose "Required"

WLAN SSID on the controller has MFP Client Protection set to "Optional".

With MFP Client Protection set to optional for a WLAN, authenticated clients may not be shielded from spoofed frames.

Set MFP Client Protection to "Required" to protect against clients connecting to a rogue access point.

Select Disabled, Optional, or Required.

Client  MFP will only be active for a session if the client supports CCX (Cisco  Compatible eXtensions) MFP, and if WPA2 is negotiated with the client.  If Optional is selected, clients that do not negotiate MFP will be  allowed to associate. If Required is selected, only clients that  successfully negotiate MFP will be allowed to associate.

"http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml" ........

With  MFP, all management frames are cryptographically hashed to create a  Message Integrity Check (MIC). The MIC is added to the end of the frame  (before the Frame Check Sequence (FCS)).
   *In a centralized  wireless architecture, infrastructure MFP is enabled/disabled on the WLC  (global config). Protection can be selectively disabled per WLAN, and  validation can be selectively disabled per AP.

....More INformation:

http://www.giga-wave.com/techtips-love-wireless-lan.asp

Hope it helps.

Regards

0 Helpful

Go to solution
Puneet Gupta
Level 1
Level 1
In response to Sandeep Choudhary

‎10-08-2013 09:04 AM

Thanks Sandeep

But how would i know that client supports CCX ?

Actually i dont want a situation where client do not associate to my wireless netwrok.

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to Puneet Gupta

‎10-08-2013 11:30 PM

Hi Punit,

If you do

show client detail

Then you can see the if client is supported or not.

But in my case i choosed " optional ".

Disabled turns off client support for MFP.

Optional enables client devices to participate as validator devices if they are capable, but still allows clients that cannot support MFP to participate in the network.

The Required setting makes client MFP support mandatory-devices which don’t support MFP will not be allowed to join the network.

Hope it helps.

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card