Cisco AP infrastructure Management Frame Protection (MFP) Troubleshooting and Debugging

Saravanan Lakshmanan · ‎01-15-2014

Introduction

AP Infrastructure Management Frame Protection MFP Troubleshooting and Debugging.

Infrastructure MFP— Protects management frames by detecting adversaries that are invoking denial-of-service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting network performance by attacking the QoS and radio measurement frames. Infrastructure MFP is a global setting that provides a quick and effective means to detect and report phishing incidents.

Specifically, infrastructure MFP protects 802.11 session management functions by adding message integrity check information elements (MIC IEs) to the management frames emitted by access points (and not those emitted by clients), which are then validated by other access points in the network. Infrastructure MFP is passive. It can detect and report intrusions but has no means to stop them.

How to enable AP/ Infrastructure MFP CLI

(Cisco Controller) >config wps mfp infrastructure enable

How to enable AP/Infrastrcuture MFP GUI

Security>> Wireless Protection Policy>> AP Authentication>> Protection type - Management Frame Protection.

AP-Impersonation can be enabled/disabled

(Cisco Controller) >config wps mfp ap-impersonation enable/disable

Calo-core-AP4#show boot

BOOT path-list: flash:/ap3g1-k9w8-mx.v152_4_jb.201310191930/ap3g1-k9w8-mx.v152_4_jb.201310191930

Config file: flash:/config.txt
Private Config file: flash:/private-config
Enable Break: yes
Manual Boot: no
Enable IOS Break: no
HELPER path-list:
NVRAM/Config file
buffer size: 32768
Mode Button: on
Radio Core TFTP:

Show Commands

show wps mfp statistics

(Cisco Controller) >show wps mfp statistics

BSSID Radio Validator AP Last Source Addr Found Error Type Count Frame Types
----------------- ----- -------------------- ----------------- ------ -------------- ---------- -----------
no errors

show wps mfp summary

(Cisco Controller) >show wps mfp summary

Management Frame Protection
Global Infrastructure MFP state................ Enabled =========> Check
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... True

WLAN Client
WLAN ID WLAN Name Status Protection
------- ------------------------- --------- ----------
1 Wireless-MO Disabled Optional but inactive (WPA2 not configured)
2 Web Passthrough Disabled Optional but inactive (WPA2 not configured)
3 vmaan-momolaja Enabled Optional but inactive (WPA2 not configured)
16 111111 Disabled Optional

show wps summary

(Cisco Controller) >show wps summary

Auto-Immune
Auto-Immune.................................... Disabled
Auto-Immune by aWIPS Prevention................ Disabled

Client Exclusion Policy
Excessive 802.11-association failures.......... Enabled
Excessive 802.11-authentication failures....... Enabled
Excessive 802.1x-authentication................ Enabled
IP-theft....................................... Enabled
Excessive Web authentication failure........... Enabled
Maximum 802.1x-AAA failure attempts............ 3

Signature Policy
Signature Processing........................... Enabled

Management Frame Protection
Global Infrastructure MFP state................ Enabled =========> Check
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... True

WLAN Client
WLAN ID WLAN Name Status Protection
------- ------------------------- --------- ----------
1 Wireless-MO Disabled Optional but inactive (WPA2 not configured)
2 Web Passthrough Disabled Optional but inactive (WPA2 not configured)
3 vmaan-momolaja Enabled Optional but inactive (WPA2 not configured)
16 111111 Disabled Optional

Debugs on WLC for AP Infrastructure MFP

(Cisco Controller) >debug wps mfp capwap enable
(Cisco Controller) >debug wps mfp detail enable
(Cisco Controller) >debug wps mfp report enable
(Cisco Controller) >debug wps mfp mm enable
(Cisco Controller) >show deb

MAC debugging .............................. disabled
Debug Flags Enabled:
WPS MFP CAPWAP debug enabled. 
WPS MFP detailed debug enabled.
WPS MFP reporting debug enabled.

WPS MFP MM debug enabled.

*mfpEventTask: Nov 30 00:43:18.684: MFP report event slot=0 type=1 bssid 3C:CE:73:1A:45:31 key=9714 event=01 cnt=1 period=7 frames=0100 from 08:CC:68:B4:47:80
*mfpEventTask: Nov 30 00:43:18.684: MFP hash use - hash=111 slot=1 3C:CE:73:1A:45:31
*mfpKeyRefreshTask: Nov 30 00:44:11.036: Query for peer WLC key if there is anomaly report due to key mismatch

*mfpKeyRefreshTask: Nov 30 00:46:26.072: Query for peer WLC key if there is anomaly report due to key mismatch

*mfpTrapForwardTask: Nov 30 00:46:46.676: MFP forwarding event report, index 1
*mfpTrapForwardTask: Nov 30 00:46:46.676: MFP stats entry index 1
*mfpTrapForwardTask: Nov 30 00:46:46.676: MFP stats entry index 1
*mfpTrapForwardTask: Nov 30 00:46:46.676: MFP sending event report, stats Type 0 count 0 frame types 0
*mfpTrapForwardTask: Nov 30 00:46:46.676: MFP sending event report, stats Type 1 count 1 frame types 256
*mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 2 count 0 frame types 0
*mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 3 count 0 frame types 0
*mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 4 count 0 frame types 0
*mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 5 count 0 frame types 0

AP debugs

Calo-core-AP4#debug capwap mfp
Calo-core-AP4#debug dot11 mfp infrastructure

Calo-core-AP4#show debug
MFP DOT11:
IO debugging is on
MFP:
MFP debugging is on

*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =0 mac=3cce.731a.4 530
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =1 mac=0c68.03cb.1 0e0
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =2 mac=08cc.68b4.4 780
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =3 mac=203a.07e4.1 9b0
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =4 mac=03f9.f938.7 31d

Calo-core-AP4#show int d0 mfp infrastructure detector

BSSID: 68bc.0c06.d7b0 (Reverse WLAN not set)
Beacon/Probe Rsp MICed : 2160484
Other mgmt frames MICed : 5527
BSSID State
0 ENA
1 ENA
2 ENA
3 IGN
4 IGN
5 IGN
6 IGN
7 IGN
8 IGN
9 IGN
A IGN
B IGN
C IGN
D IGN
E IGN
F IGN

****************************

Calo-core-AP4#show int d0 mfp infrastructure detector anomaly
Anomaly 1 BSSID 0c68.03cb.10e0
Key Details:
0 7B3A Bcast: 5D48668BBA974F106965143616A5A1B3
Ucast: C790DB3B15DD4F9D52CF08C5B0509B34
1:val 2A54 Bcast: DC4199FEF1BA886323A581B7FE51C75F
Ucast: 60DB62E5B4C9B95C5666DC7C5654E90A
Computed MIC: 0
Mgmt frame [Len 290]:
000000 80 00 00 00 FF FF FF FF FF FF 0C 68 03 CB 10 E0
000010 0C 68 03 CB 10 E0 80 80 5F 91 EE 2D 50 03 00 00
000020 66 00 21 14 00 0B 57 69 72 65 6C 65 73 73 2D 4D
000030 4F 01 08 82 84 8B 0C 12 96 18 24 03 01 06 05 04
000040 00 01 00 00 07 06 55 53 20 01 0B 1E 0B 05 00 00
000050 D5 8D 5B 2A 01 02 2D 1A AC 11 1B FF FF 00 00 00
000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000070 00 00 32 04 30 48 60 6C 3D 16 06 00 05 00 00 00
000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000090 7F 08 00 10 00 00 00 40 00 01 85 1E 0D 00 8F 00
0000A0 0F 00 FF 03 59 00 41 50 66 38 37 32 2E 65 61 37
0000B0 63 2E 39 33 64 00 00 00 00 42 96 06 00 40 96 00
0000C0 07 00 DD 18 00 50 F2 02 01 01 80 00 03 A4 00 00
0000D0 27 A4 00 00 42 43 5E 00 62 32 2F 00 DD 06 00 40
0000E0 96 01 01 04 DD 05 00 40 96 03 05 DD 05 00 40 96
0000F0 0B 09 DD 08 00 40 96 13 01 00 34 01 DD 05 00 40
000100 96 14 04 DD 1D 00 40 96 0C 03 D7 C6 D0 94 F7 33
000110 42 01 00 00 3C 0C 00 00 00 00 4C BE B6 A4 DA 9C
000120 E0 95

***********************

Calo-core-AP4#show int d0 mfp infrastructure detector key all
Radio MAC State SK SKID BCast, UCast
08cc.68b4.4780 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
08cc.68b4.4780 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
08cc.68b4.4781 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
08cc.68b4.4781 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
08cc.68b4.4782 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
08cc.68b4.4782 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
0c68.03cb.10e0 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
0c68.03cb.10e0 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
0c68.03cb.10e1 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
0c68.03cb.10e1 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
0c68.03cb.10e2 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
0c68.03cb.10e2 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
203a.07e4.19b0 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
203a.07e4.19b0 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
203a.07e4.19b1 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
203a.07e4.19b1 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
203a.07e4.19b2 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
203a.07e4.19b2 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
3cce.731a.4530 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
3cce.731a.4530 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
3cce.731a.4531 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
3cce.731a.4531 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34
3cce.731a.4532 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
3cce.731a.4532 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34

******************

Calo-core-AP4#show int d0 mfp infrastructure detector statistics
BSSID state total val-mic inv-skid inv-mic inv-sc inv-ntp no-mic dis-mic dis-n-m
08cc.68b4.4780 ENA 25211 25207 4 0 0 0 0 0 0
08cc.68b4.4781 ENA 32268 32255 13 0 0 0 0 0 0
08cc.68b4.4782 ENA 42942 42925 17 0 0 0 0 0 0
0c68.03cb.10e0 ENA 33183 33164 19 0 0 0 0 0 0
0c68.03cb.10e1 ENA 34985 34965 20 0 0 0 0 0 0
0c68.03cb.10e2 ENA 35447 35422 25 0 0 0 0 0 0
203a.07e4.19b0 ENA 1707478 1707317 161 0 0 0 0 0 0
203a.07e4.19b1 ENA 1861197 1860997 199 0 1 0 0 0 0
203a.07e4.19b2 ENA 1792991 1792827 164 0 0 0 0 0 0
3cce.731a.4530 ENA 16280517 16279106 1410 0 0 0 0 0 0
3cce.731a.4531 ENA 17629100 17627546 1554 0 6 0 0 0 0
3cce.731a.4532 ENA 17018997 17017517 1480 0 5 0 0 0 0
Total = 56496886, BSSIDs = 56494316, Deleted = 0, Unprocessed = 8, Dropped = 447494305, NoMicDrop = 4293470, num_nodes = 12

*******************

Calo-core-AP4#show int d0 mfp infrastructure generator
BSSID: 68bc.0c06.d7b0 (Reverse WLAN not set)
Beacon/Probe Rsp MICed : 2160712
Other mgmt frames MICed : 5527
BSSID State
0 ENA
1 ENA
2 ENA
3 IGN
4 IGN
5 IGN
6 IGN
7 IGN
8 IGN
9 IGN
A IGN
B IGN
C IGN
D IGN
E IGN
F IGN

*********************

Calo-core-AP4#show int d0 mfp infrastructure generator key all

Radio MAC SKID BCast, UCast
Current Keys [Update Time=23:02:07 UTC Dec 19 2013, Update Count=22]:
68bc.0c06.d7b0 C6D7 E573AF0C28BEF01E958C485F9937C984
59C255DF790048966D340D67FBC50D90
Previous Keys:
68bc.0c06.d7b0 7B3A 5D48668BBA974F106965143616A5A1B3
C790DB3B15DD4F9D52CF08C5B0509B34

***********************

Calo-core-AP4#show int d0 mfp infrastructure generator statistics
BSSID: 68bc.0c06.d7b0 (Reverse WLAN not set)
Beacon/Probe Rsp MICed : 2160808
Other mgmt frames MICed : 5527
BSSID State
0 ENA
1 ENA
2 ENA
3 IGN
4 IGN
5 IGN
6 IGN
7 IGN
8 IGN
9 IGN
A IGN
B IGN
C IGN
D IGN
E IGN
F IGN