topic Re: MFP problem in Wireless

MFP problem

Alexey Kurchenko — Mon, 05 Jul 2021 14:56:04 GMT

Hello.

I have a problem with configure MFP on WLС 2504. The firmware version 8.5.105.0

I set up the PMF PSK, but in the management and control frames in the RSN fields do not contain PMF records.

The screenshot shows a fragment of the bacon frame.

What can be wrong?

Re: MFP problem

Flavio Miranda — Mon, 04 Dec 2017 11:17:39 GMT

Hi @Alexey Kurchenko

First MFP and PMF are two different features, although they have similar objectives.

Let´s assume that you are looking for PMF (802.11w). Did you enabled it on WLAN from "Optional" to "Required"?

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Mon, 04 Dec 2017 11:33:21 GMT

Yes. I turned on "Required"

Management Frame Protection
Global Infrastructure MFP state................ Enabled
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... False

WLAN Client
WLAN ID WLAN Name Status Protection
------- ------------------------- --------- ----------
1 WIFI-LAB Enabled Required

Re: MFP problem

Flavio Miranda — Mon, 04 Dec 2017 12:00:01 GMT

Interesting. This link is very clear that, by enabling this feature, you are able to see this information on beacons:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.html

8.5 version is very new, I'm always a bit skeptical when it comes to too new release. If you are able to, you can try open a TAC, maybe this is a bug. Or you can try another WLC version as well.

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Mon, 04 Dec 2017 12:13:52 GMT

Thanks Flavio.

I tried the old version too.

(Cisco Controller) >show boot
Primary Boot Image............................... 8.5.105.0 (default) (active)
Backup Boot Image................................ 8.2.110.0

Re: MFP problem

Flavio Miranda — Mon, 04 Dec 2017 12:34:59 GMT

I didn't ask but WPA/WPA2 is enable, right?

Here some relevant informations:

-Cisco's legacy Management Frame Protection is not related to the 802.11w standard that is implemented in the 7.4 release.
-The 802.11w standard is supported on all 802.11n capable APs except those that are configured for FlexConnect operation.
-The 802.11w standard is supported on the following Cisco Wireless LAN Controller model series: 2500, 5500, 8500, and WiSM2.
-The 802.11w standard is not supported on the following Cisco Wireless LAN Controller models: Flex 7500 and Virtual Wireless LAN Controller.
-802.11w cannot be applied on an open WLAN, WEP-encrypted WLAN, or a TKIP-encrypted WLAN.
-The WLAN on which 802.11w is configured must have either WPA2-PSK or WPA2-802.1x security configured.

Make sure you are in compliance with everything.

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Mon, 04 Dec 2017 12:43:01 GMT

Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled

--More-- or (q)uit
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Enabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled

Re: MFP problem

Flavio Miranda — Mon, 04 Dec 2017 12:50:52 GMT

Can you run "debug pmf events enable" and share ?

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Mon, 04 Dec 2017 13:13:14 GMT

Done. Only "debug>11w-pmf events enable" command.

Re: MFP problem

Flavio Miranda — Mon, 04 Dec 2017 13:23:48 GMT

Alright. Attach logs here when you're done.

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Tue, 05 Dec 2017 13:00:27 GMT

Hi, Flavio.

I reset the wlc settings and re-configured it. Debug file in attach.

Re: MFP problem

Flavio Miranda — Tue, 05 Dec 2017 13:11:12 GMT

This log is interesting:

"Marking Mobile as non-11w Capable"

So, looks like you are testing with a non-11w capable device. Well, this should not be the cause in my opinion. I believe AP should send the 802.11w on its beacons anyway.

Just make sure the packet you got is send from AP and not from Client, and if possible, try to test with a 802.11w capable device.

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Tue, 05 Dec 2017 13:19:30 GMT

Yes. I see that this works correctly. Perhaps Airmagnet (soft for packet capture) show the packets incorrectly?

Re: MFP problem

Flavio Miranda — Tue, 05 Dec 2017 13:21:01 GMT

That´s one good shot. You may try another sniffer to make sure.

As I said, although WLC reports Client as not 802.11w capable, beacons should be send with 802.11w flag enable as you enabled 802.11w on the WLC.

-If I helped you somehow, please, rate it as useful.-

Re: MFP problem

Alexey Kurchenko — Tue, 05 Dec 2017 13:24:20 GMT

Thank you, Flavio. I'll try.

Re: MFP problem

Alexey Kurchenko — Mon, 18 Dec 2017 10:21:50 GMT

Hello Flavio.

The problem was in Air Magnet. Wireshark shows the packets correctly.