https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283270#M67599 <HTML><HEAD></HEAD><BODY><P>HI Punit,</P><P></P><P>I have same setutp as u have 5008 WLC(we have 2504).</P><P>You can choose as "<STRONG>Optional</STRONG>".(This is by default)</P><P></P><P>If you want then you can also choose "Required"</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp1150172table1150167" style="width: 80%;"><TBODY><TR align="left" valign="top"><TD><P> WLAN SSID on the controller has MFP Client Protection set to "Optional". </P></TD><TD><STRONG><A name="wp1150294"></A> </STRONG><P><STRONG> With MFP Client Protection set to optional for a WLAN, authenticated clients may not be shielded from spoofed frames. </STRONG></P></TD><TD><A name="wp1150296"></A><P> Set MFP Client Protection to "Required" to protect against clients connecting to a rogue access point. </P></TD></TR></TBODY></TABLE><P></P><P></P><P>Select Disabled, Optional, or Required.</P><P> <A name="wp1064320"></A></P><P>Client&nbsp; MFP will only be active for a session if the client supports CCX (Cisco&nbsp; Compatible eXtensions) MFP, and if WPA2 is negotiated with the client.&nbsp; If Optional is selected, clients that do not negotiate MFP will be&nbsp; allowed to associate. If Required is selected, only clients that&nbsp; successfully negotiate MFP will be allowed to associate.</P><P></P><P>"<A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml" rel="nofollow" target="_blank">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml</A>" ........</P><P></P><P>With&nbsp; MFP, all management frames are cryptographically hashed to create a&nbsp; Message Integrity Check (MIC). The MIC is added to the end of the frame&nbsp; (before the Frame Check Sequence (FCS)).<BR />&nbsp;&nbsp; *In a centralized&nbsp; wireless architecture, infrastructure MFP is enabled/disabled on the WLC&nbsp; (global config). Protection can be selectively disabled per WLAN, and&nbsp; validation can be selectively disabled per AP.</P><P></P><P>....More INformation:</P><P></P><P><A class="jive-link-external-small" href="http://www.giga-wave.com/techtips-love-wireless-lan.asp">http://www.giga-wave.com/techtips-love-wireless-lan.asp</A></P><P></P><P></P><P>Hope it helps.</P><P>Regards</P></BODY></HTML> Tue, 08 Oct 2013 11:21:46 GMT Sandeep Choudhary 2013-10-08T11:21:46Z https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283269#M67598 <P>Hi</P><P></P><P>I am using WLC 5008 with 7.4.110.0 version and we have also PRIME 1.3 in our netowrk.</P><P></P><P>We are getting an error the MFP should be reuired in dot1x.</P><P>"</P><P>Set "MFP Client Protection" to "Required" to protect against clients connecting to a rogue AP."</P><P></P><P>Can we set to reuired for SSID ? what are the disadvantages of doing this ?</P><P></P><P>SSID is using EAP-TLS for authentication.</P><P></P><P></P><P></P><DIV id="__tbSetup"> </DIV><P><IMG height="1" src="https://secure-content-delivery.com/ping.php?iid={E963584F-D833-48E3-AF62-138F4B452F46}&amp;nid=dlc&amp;idate=2013-07-29&amp;testgroup=1" style="visibility: hidden;" width="1" /></P><P></P><P></P><P></P> Sun, 04 Jul 2021 08:02:07 GMT https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283269#M67598 Puneet Gupta 2021-07-04T08:02:07Z https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283270#M67599 <HTML><HEAD></HEAD><BODY><P>HI Punit,</P><P></P><P>I have same setutp as u have 5008 WLC(we have 2504).</P><P>You can choose as "<STRONG>Optional</STRONG>".(This is by default)</P><P></P><P>If you want then you can also choose "Required"</P><P></P><TABLE border="1" cellpadding="3" cellspacing="0" id="wp1150172table1150167" style="width: 80%;"><TBODY><TR align="left" valign="top"><TD><P> WLAN SSID on the controller has MFP Client Protection set to "Optional". </P></TD><TD><STRONG><A name="wp1150294"></A> </STRONG><P><STRONG> With MFP Client Protection set to optional for a WLAN, authenticated clients may not be shielded from spoofed frames. </STRONG></P></TD><TD><A name="wp1150296"></A><P> Set MFP Client Protection to "Required" to protect against clients connecting to a rogue access point. </P></TD></TR></TBODY></TABLE><P></P><P></P><P>Select Disabled, Optional, or Required.</P><P> <A name="wp1064320"></A></P><P>Client&nbsp; MFP will only be active for a session if the client supports CCX (Cisco&nbsp; Compatible eXtensions) MFP, and if WPA2 is negotiated with the client.&nbsp; If Optional is selected, clients that do not negotiate MFP will be&nbsp; allowed to associate. If Required is selected, only clients that&nbsp; successfully negotiate MFP will be allowed to associate.</P><P></P><P>"<A href="http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml" rel="nofollow" target="_blank">http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml</A>" ........</P><P></P><P>With&nbsp; MFP, all management frames are cryptographically hashed to create a&nbsp; Message Integrity Check (MIC). The MIC is added to the end of the frame&nbsp; (before the Frame Check Sequence (FCS)).<BR />&nbsp;&nbsp; *In a centralized&nbsp; wireless architecture, infrastructure MFP is enabled/disabled on the WLC&nbsp; (global config). Protection can be selectively disabled per WLAN, and&nbsp; validation can be selectively disabled per AP.</P><P></P><P>....More INformation:</P><P></P><P><A class="jive-link-external-small" href="http://www.giga-wave.com/techtips-love-wireless-lan.asp">http://www.giga-wave.com/techtips-love-wireless-lan.asp</A></P><P></P><P></P><P>Hope it helps.</P><P>Regards</P></BODY></HTML> Tue, 08 Oct 2013 11:21:46 GMT https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283270#M67599 Sandeep Choudhary 2013-10-08T11:21:46Z https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283271#M67600 <HTML><HEAD></HEAD><BODY><P>Thanks Sandeep</P><P></P><P>But how would i know that client supports CCX ?</P><P></P><P>Actually i dont want a situation where client do not associate to my wireless netwrok.</P><DIV id="__tbSetup"> </DIV></BODY></HTML> Tue, 08 Oct 2013 16:04:50 GMT https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283271#M67600 Puneet Gupta 2013-10-08T16:04:50Z https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283272#M67601 <HTML><HEAD></HEAD><BODY><P>Hi Punit,</P><P>If you do </P><P><STRONG>show client detail</STRONG> <EM><MAC address="" of="" client=""></MAC></EM></P><P></P><P>Then you can see the if client is supported or not.</P><P></P><P>But in my case i choosed " optional ".</P><P></P><P></P><P><STRONG>Disabled</STRONG> turns off client support for MFP.</P><P><STRONG>Optional</STRONG> enables client devices to participate as validator devices if they are capable, but still allows clients that cannot support MFP to participate in the network.</P><P><STRONG>The Required</STRONG> setting makes client MFP support mandatory-devices which don’t support MFP will not be allowed to join the network.</P><P></P><P></P><P>Hope it helps.</P><P>Regards</P></BODY></HTML> Wed, 09 Oct 2013 06:30:40 GMT https://community.cisco.com/t5/wireless/mfp-client-protection-is-optional-by-default/m-p/2283272#M67601 Sandeep Choudhary 2013-10-09T06:30:40Z