01-15-2014 03:31 PM - edited 11-18-2020 03:05 AM
AP Infrastructure Management Frame Protection MFP Troubleshooting and Debugging.
Infrastructure MFP— Protects management frames by detecting adversaries that are invoking denial-of-service attacks, flooding the network with associations and probes, interjecting as rogue access points, and affecting network performance by attacking the QoS and radio measurement frames. Infrastructure MFP is a global setting that provides a quick and effective means to detect and report phishing incidents.
Specifically, infrastructure MFP protects 802.11 session management functions by adding message integrity check information elements (MIC IEs) to the management frames emitted by access points (and not those emitted by clients), which are then validated by other access points in the network. Infrastructure MFP is passive. It can detect and report intrusions but has no means to stop them.
(Cisco Controller) >config wps mfp infrastructure enable
Security>> Wireless Protection Policy>> AP Authentication>> Protection type - Management Frame Protection.
(Cisco Controller) >config wps mfp ap-impersonation enable/disable
Calo-core-AP4#show boot BOOT path-list: flash:/ap3g1-k9w8-mx.v152_4_jb.201310191930/ap3g1-k9w8-mx.v152_4_jb.201310191930 Config file: flash:/config.txt Private Config file: flash:/private-config Enable Break: yes Manual Boot: no Enable IOS Break: no HELPER path-list: NVRAM/Config file buffer size: 32768 Mode Button: on Radio Core TFTP:
(Cisco Controller) >show wps mfp statistics
BSSID Radio Validator AP Last Source Addr Found Error Type Count Frame Types
----------------- ----- -------------------- ----------------- ------ -------------- ---------- -----------
no errors
(Cisco Controller) >show wps mfp summary Management Frame Protection Global Infrastructure MFP state................ Enabled =========> Check AP Impersonation detection..................... Disabled Controller Time Source Valid................... True WLAN Client WLAN ID WLAN Name Status Protection ------- ------------------------- --------- ---------- 1 Wireless-MO Disabled Optional but inactive (WPA2 not configured) 2 Web Passthrough Disabled Optional but inactive (WPA2 not configured) 3 vmaan-momolaja Enabled Optional but inactive (WPA2 not configured) 16 111111 Disabled Optional
(Cisco Controller) >show wps summary
Auto-Immune
Auto-Immune.................................... Disabled
Auto-Immune by aWIPS Prevention................ Disabled
Client Exclusion Policy
Excessive 802.11-association failures.......... Enabled
Excessive 802.11-authentication failures....... Enabled
Excessive 802.1x-authentication................ Enabled
IP-theft....................................... Enabled
Excessive Web authentication failure........... Enabled
Maximum 802.1x-AAA failure attempts............ 3
Signature Policy
Signature Processing........................... Enabled
Management Frame Protection
Global Infrastructure MFP state................ Enabled =========> Check
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... True
WLAN Client
WLAN ID WLAN Name Status Protection
------- ------------------------- --------- ----------
1 Wireless-MO Disabled Optional but inactive (WPA2 not configured)
2 Web Passthrough Disabled Optional but inactive (WPA2 not configured)
3 vmaan-momolaja Enabled Optional but inactive (WPA2 not configured)
16 111111 Disabled Optional
(Cisco Controller) >debug wps mfp capwap enable (Cisco Controller) >debug wps mfp detail enable (Cisco Controller) >debug wps mfp report enable (Cisco Controller) >debug wps mfp mm enable (Cisco Controller) >show deb MAC debugging .............................. disabled Debug Flags Enabled: WPS MFP CAPWAP debug enabled. WPS MFP detailed debug enabled. WPS MFP reporting debug enabled. WPS MFP MM debug enabled. *mfpEventTask: Nov 30 00:43:18.684: MFP report event slot=0 type=1 bssid 3C:CE:73:1A:45:31 key=9714 event=01 cnt=1 period=7 frames=0100 from 08:CC:68:B4:47:80 *mfpEventTask: Nov 30 00:43:18.684: MFP hash use - hash=111 slot=1 3C:CE:73:1A:45:31 *mfpKeyRefreshTask: Nov 30 00:44:11.036: Query for peer WLC key if there is anomaly report due to key mismatch *mfpKeyRefreshTask: Nov 30 00:46:26.072: Query for peer WLC key if there is anomaly report due to key mismatch *mfpTrapForwardTask: Nov 30 00:46:46.676: MFP forwarding event report, index 1 *mfpTrapForwardTask: Nov 30 00:46:46.676: MFP stats entry index 1 *mfpTrapForwardTask: Nov 30 00:46:46.676: MFP stats entry index 1 *mfpTrapForwardTask: Nov 30 00:46:46.676: MFP sending event report, stats Type 0 count 0 frame types 0 *mfpTrapForwardTask: Nov 30 00:46:46.676: MFP sending event report, stats Type 1 count 1 frame types 256 *mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 2 count 0 frame types 0 *mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 3 count 0 frame types 0 *mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 4 count 0 frame types 0 *mfpTrapForwardTask: Nov 30 00:46:46.677: MFP sending event report, stats Type 5 count 0 frame types 0
Calo-core-AP4#debug capwap mfp
Calo-core-AP4#debug dot11 mfp infrastructure
Calo-core-AP4#show debug
MFP DOT11:
IO debugging is on
MFP:
MFP debugging is on
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =0 mac=3cce.731a.4 530
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =1 mac=0c68.03cb.1 0e0
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =2 mac=08cc.68b4.4 780
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =3 mac=203a.07e4.1 9b0
*Nov 29 23:35:27.111: CAPWAP MFP: local neighbor slot=0 index =4 mac=03f9.f938.7 31d
Calo-core-AP4#show int d0 mfp infrastructure detector BSSID: 68bc.0c06.d7b0 (Reverse WLAN not set) Beacon/Probe Rsp MICed : 2160484 Other mgmt frames MICed : 5527 BSSID State 0 ENA 1 ENA 2 ENA 3 IGN 4 IGN 5 IGN 6 IGN 7 IGN 8 IGN 9 IGN A IGN B IGN C IGN D IGN E IGN F IGN **************************** Calo-core-AP4#show int d0 mfp infrastructure detector anomaly Anomaly 1 BSSID 0c68.03cb.10e0 Key Details: 0 7B3A Bcast: 5D48668BBA974F106965143616A5A1B3 Ucast: C790DB3B15DD4F9D52CF08C5B0509B34 1:val 2A54 Bcast: DC4199FEF1BA886323A581B7FE51C75F Ucast: 60DB62E5B4C9B95C5666DC7C5654E90A Computed MIC: 0 Mgmt frame [Len 290]: 000000 80 00 00 00 FF FF FF FF FF FF 0C 68 03 CB 10 E0 000010 0C 68 03 CB 10 E0 80 80 5F 91 EE 2D 50 03 00 00 000020 66 00 21 14 00 0B 57 69 72 65 6C 65 73 73 2D 4D 000030 4F 01 08 82 84 8B 0C 12 96 18 24 03 01 06 05 04 000040 00 01 00 00 07 06 55 53 20 01 0B 1E 0B 05 00 00 000050 D5 8D 5B 2A 01 02 2D 1A AC 11 1B FF FF 00 00 00 000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000070 00 00 32 04 30 48 60 6C 3D 16 06 00 05 00 00 00 000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000090 7F 08 00 10 00 00 00 40 00 01 85 1E 0D 00 8F 00 0000A0 0F 00 FF 03 59 00 41 50 66 38 37 32 2E 65 61 37 0000B0 63 2E 39 33 64 00 00 00 00 42 96 06 00 40 96 00 0000C0 07 00 DD 18 00 50 F2 02 01 01 80 00 03 A4 00 00 0000D0 27 A4 00 00 42 43 5E 00 62 32 2F 00 DD 06 00 40 0000E0 96 01 01 04 DD 05 00 40 96 03 05 DD 05 00 40 96 0000F0 0B 09 DD 08 00 40 96 13 01 00 34 01 DD 05 00 40 000100 96 14 04 DD 1D 00 40 96 0C 03 D7 C6 D0 94 F7 33 000110 42 01 00 00 3C 0C 00 00 00 00 4C BE B6 A4 DA 9C 000120 E0 95 *********************** Calo-core-AP4#show int d0 mfp infrastructure detector key all Radio MAC State SK SKID BCast, UCast 08cc.68b4.4780 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 08cc.68b4.4780 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 08cc.68b4.4781 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 08cc.68b4.4781 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 08cc.68b4.4782 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 08cc.68b4.4782 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 0c68.03cb.10e0 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 0c68.03cb.10e0 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 0c68.03cb.10e1 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 0c68.03cb.10e1 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 0c68.03cb.10e2 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 0c68.03cb.10e2 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 203a.07e4.19b0 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 203a.07e4.19b0 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 203a.07e4.19b1 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 203a.07e4.19b1 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 203a.07e4.19b2 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 203a.07e4.19b2 ENA 1:val(0x03) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 3cce.731a.4530 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 3cce.731a.4530 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 3cce.731a.4531 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 3cce.731a.4531 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 3cce.731a.4532 ENA 0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 3cce.731a.4532 ENA 1:inv(0x07) 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 ****************** Calo-core-AP4#show int d0 mfp infrastructure detector statistics BSSID state total val-mic inv-skid inv-mic inv-sc inv-ntp no-mic dis-mic dis-n-m 08cc.68b4.4780 ENA 25211 25207 4 0 0 0 0 0 0 08cc.68b4.4781 ENA 32268 32255 13 0 0 0 0 0 0 08cc.68b4.4782 ENA 42942 42925 17 0 0 0 0 0 0 0c68.03cb.10e0 ENA 33183 33164 19 0 0 0 0 0 0 0c68.03cb.10e1 ENA 34985 34965 20 0 0 0 0 0 0 0c68.03cb.10e2 ENA 35447 35422 25 0 0 0 0 0 0 203a.07e4.19b0 ENA 1707478 1707317 161 0 0 0 0 0 0 203a.07e4.19b1 ENA 1861197 1860997 199 0 1 0 0 0 0 203a.07e4.19b2 ENA 1792991 1792827 164 0 0 0 0 0 0 3cce.731a.4530 ENA 16280517 16279106 1410 0 0 0 0 0 0 3cce.731a.4531 ENA 17629100 17627546 1554 0 6 0 0 0 0 3cce.731a.4532 ENA 17018997 17017517 1480 0 5 0 0 0 0 Total = 56496886, BSSIDs = 56494316, Deleted = 0, Unprocessed = 8, Dropped = 447494305, NoMicDrop = 4293470, num_nodes = 12 ******************* Calo-core-AP4#show int d0 mfp infrastructure generator BSSID: 68bc.0c06.d7b0 (Reverse WLAN not set) Beacon/Probe Rsp MICed : 2160712 Other mgmt frames MICed : 5527 BSSID State 0 ENA 1 ENA 2 ENA 3 IGN 4 IGN 5 IGN 6 IGN 7 IGN 8 IGN 9 IGN A IGN B IGN C IGN D IGN E IGN F IGN ********************* Calo-core-AP4#show int d0 mfp infrastructure generator key all Radio MAC SKID BCast, UCast Current Keys [Update Time=23:02:07 UTC Dec 19 2013, Update Count=22]: 68bc.0c06.d7b0 C6D7 E573AF0C28BEF01E958C485F9937C984 59C255DF790048966D340D67FBC50D90 Previous Keys: 68bc.0c06.d7b0 7B3A 5D48668BBA974F106965143616A5A1B3 C790DB3B15DD4F9D52CF08C5B0509B34 *********************** Calo-core-AP4#show int d0 mfp infrastructure generator statistics BSSID: 68bc.0c06.d7b0 (Reverse WLAN not set) Beacon/Probe Rsp MICed : 2160808 Other mgmt frames MICed : 5527 BSSID State 0 ENA 1 ENA 2 ENA 3 IGN 4 IGN 5 IGN 6 IGN 7 IGN 8 IGN 9 IGN A IGN B IGN C IGN D IGN E IGN F IGN
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: