Thanks Mohanak,

HyeonCheol Cho · ‎08-22-2016

Hello WiFi Gurus,

It is about Cisco's version Infrastructure Management Frame Protection ( Infrastructure MFP) but not about 802.11W which is Protected Management Frame (PMF).

In Cisco's document for code 8.0, it goes as

Infrastructure MFP is disabled by default and can be enabled globally. Once infrastructure MFP is enabled globally, signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for selected access points.

Cisco Doc: http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0110110.html

However, I could not find the configuration parameters that can be used to disable signature generation for selected WLANs.

Does anyone know where in WLC configuration we can disable Infrastructure MFP for selected WLANs?

Does anyone know where in AP configuration we can disable validation of Infrastructure MFP?

It doesn't seem that 802.11W is ripe enough for deploy in my environment so that it is required to use Management Frame Protection instead.

Thanks

Kind Regards

---------------------------Updated this post on the 31/Aug/2016 with info from Cisco TAC----------------

I opened a case with Cisco and has been working with an engineer to find that Cisco has removed below two features due to known bugs

Disabling Infrastructure MFP per WLAN
Disabling validation of infrastructure MFP per AP.

In addition, 8.0 configuration guide has wrong information on it. The TAC engineer advised that he will contact documentation team to correct the error in the 8.0 configuration guide.

Just wanted to share it for other benefits.

Rasika Nayanajith · ‎08-22-2016

I do not think there is option to configure infrastructure MFP per WLAN. I can see only a global config option

Enable or disable infrastructure MFP globally for the controller by entering this command:

config wps mfp infrastructure {enable | disable}

HTH

Rasika

HyeonCheol Cho · ‎08-23-2016

Hello Rasika,

Thanks for your reply.

I could not find option that allow to set Infrastructure MFP per WLAN in code 8.0 either. But, as the CIsco 8.0 configuration guide says that Infrastructure MFP could be disabled for select WLANs once it is enabled globally. So, I am not very sure if it is a typo in the configuration guide or it is a hidden feature. If it is a hidden feature, I want to know where how I can access it so that I can disable it for a few WLANs in my environment while infrastructure MFP is globally enabled.

Thanks

Kind Regards

mohanak · ‎08-22-2016

You can also enable/disable infrastructure MFP protection and client MFP on each WLAN configured on the WLC. Both are enabled by default though infrastructure MFP protection, which is only active if globally enabled, and client MFP is only active if the WLAN is configured with WPA2 security. Follow these steps in order to enable MFP on a WLAN::

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82196-mfp.html#wlan

HyeonCheol Cho · ‎08-23-2016

Thanks Mohanak,

I had read the Cisco document at the link in your post. Have you checked it in WLC code 8.0?

Even in 8.0 configuration guide, it says that it is possible to enable/disable Infrastructure MFP for selected WLAN. But, I could not find any settings that allows me to do so. I checked advanced setting tab in WLAN setting. But no luck. It appears that Infrastructure MFP is global configuration and it is not possible to disable it for select WLANS any more.

If you can find any settings in code 8.0 that allows to disable it for select WLANs , please share it with me.

Thanks

Kind Regards

Infrastructure Management Frame Protection(MFP) - WLC 8.0 code - per WLAN MFP configuration