Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MFP Configuration

Hi,

Since Upgrading to 12.3(8)JA and JA2 we are getting the following message from the WLSE.

Change: Unable to verify MFP configuration

ChangeSeverity: P2

StateChange: MFPConfiguration is MFPConfigMismatch

AlarmState: Active

OverallSeverity: P2

DeviceType: IOSAccessPoint

Followed by:

MO: Device

Change: Actual and Requested MFP Configurations match

ChangeSeverity: OK

StateChange: MFPConfiguration is OK

AlarmState: Cleared

OverallSeverity: OK

DeviceType: IOSAccessPoint

Does anyone know what this refers to?

Regards

Miron

1 REPLY
Hall of Fame Super Red

Re: MFP Configuration

Hi Miron,

Have you seen these docs? They show how to enable/disable MFP along with error descriptions etc;

Enhanced IDS with Management Frame Protection

Management Frame Protection (MFP), which authenticates management frames between Access Points, eliminates several WLAN attacks that arise due to spoofing of authorized devices. CiscoWorks WLSE enables MFP in the network and provides visibility into network events associated with MSP detection/protection.

Understanding Management Frame Protection

Although the data frames passing through an 802.11 network are considered to have excellent authentication and privacy through the protocol enhancements of 802.11i, control and management frames are still extremely vulnerable in a strictly 802.11-standard network. Because control and management frames are unauthenticated, any rogue device can, for example, mimic an access point and tell 802.11 client devices that they are no longer associated to that AP.

Management Frame Protection (MFP) inserts secure authentication information into 802.11 management frames to prevent this type of attack. This feature allows network infrastructure devices (APs and their related servers) to be MFP generators and detectors, essentially cross-checking each other during network operations. The primary network-level management takes place at the Wireless Domain Server (WDS) level, and the managed APs provide both generation and detection capabilities. The WLSE functions as a reporting mechanism by logging alerts, sending email to administrators, and so on.

When MFP is enabled for a network, each MFP-capable detector AP queries the WDS when it first observes a management frame from a given generator AP. The WDS tells the detector whether the generator should be producing MFP frames, and, if so, what its AAA keys should be. If the WDS's expectation of the MFP state of the generator AP is violated, the detector AP sends the WDS an MFP report. As all generator APs' AAA keys are rotated, the WDS informs all detector APs ahead of time to avoid false alarms.

Detecting Management Frame Protection Faults

http://www.cisco.com/en/US/products/sw/cscowork/ps3915/products_user_guide_chapter09186a0080528072.html#wp1140019

Fault Descriptions

http://www.cisco.com/en/US/products/sw/cscowork/ps3915/prod_troubleshooting_guide_chapter09186a00805287a8.html

Hope this helps!

Rob

Please remember to rate helpful posts.....

511
Views
5
Helpful
1
Replies