cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3698
Views
10
Helpful
14
Replies

MFP ccx v5 - Cisco wIPS

Computime SCC
Level 1
Level 1

I could not find any laptop with Intel that supports v5 - they all support up to v4...so I cannot enable MFP - client protection on Cisco WLC. And as far as I can see, even having Cisco MSE with wIPS will not help enough unless MFP is using ccx v5..

any ideas or we just need to wait CCX clients to be all v5 ?

14 Replies 14

I understand this is a very old post, but maybe few people are still struggling with this query?

In my understanding CCX program is now obsolete (even Cisco does not put much efforts to support it). MFP has been introduced in 802.11w and was incorporated into 802.11-2012...

Therefore, if your laptops/mobile devices are 802.11-2012 or 802.11w compliant, then you can easily enable MFP for your network.

P.S. I am looking into this as well. Unfortunately, our current laptops estate is not 802.11w compliant. But a number of laptops that have been acquired recently are 802.11w compliant (in fact, their Intel chipsets are). Haven't tested yet though.

Yes, CCX MFP was superseded by 802.11w.  In fact, CCX MFP is incompatible with 802.11w and both cannot be implemented on the client at the same time.

Newer WLAN adapters with the Wi-Fi Alliance certification logo should support 802.11w, as it became a mandatory requirement for Wi-Fi Alliance certification a few years ago.

BTW, Intel ProSet WLAN adapters were known to support CCXv5 (Windows Driver only of course).

Dennis

dB Performance Inc.

Apparently, MFP is going to be there for few more years. And the reason for this... 802.11r and 802.11w cannot be used at the same time. If someone's infra is based on Cisco and NICs are CCXv5 compliant, then 802.11r + Cisco MFP seems to be like a valuable option to me, if Fast BSS Transition and Management Frames protection are both important.

Hopefully I get it right.

If Cisco AP infrastructure is being used with CCXv5 (or CCX-Lite) client NICs, it probably makes sense to use CCKM fast-roaming (instead of 802.11r) with Cisco MFP, as they are tested together as part of the CCX logo certification program.

802.11k/r/v is a good specification, and most of the enterprise-grade APs on the market today support 802.11k/r/v along with a few client devices (e.g. newer iPhone/iPad).  Unfortunately, the corresponding Wi-Fi Alliance Voice Enterprise test plan has not been well-adopted by the industry, so there are some interoperability concerns.  In fact, Cisco and Apple have been working together for quite a while to get 802.11k/r/v working seamlessly on iOS with Cisco APs.  You can see all the incremental iPhone bugfixes in the Cisco AP software release notes.  This is why Cisco CCX is still around - guaranteed compatibility is an appealing feature.

Dennis

dB Performance Inc.

Well, yeah, what you say does make sense to me :)

(not even sure why I decided to combine standard and non-standard features).

But yes, if environment is based on Cisco and is CCXv5 compatible, then CCKM and MFP both look like a neat feature set.

Was just trying to say that I don't really understand how 802.11 guys could end up having two important features mutually exclusive (you can have Fast Roaming, but not Security, or vice versa - pick the one you like most!).

That's the thing, standards are loose and some manufacturers stick to what they always do to put their product on the market. The biggest thing you see these days are incompatibility with various NICs and wireless vendors. We see this a lot at MS and testing new devices and or driver versions is almost a must to make sure the user experience is not affected. I believe that the NIC manufacturers stopped certifying their CCX a while back. 

We see devices that have joined another wireless network with MPF and then join ours without and have issues on Aruba environments.  You will always be finding things but the best way is to keep it as simple as you can and test the drivers.

-Scott 

*** Please rate helpful posts *** 

-Scott
*** Please rate helpful posts ***

Just makes wireless engineers feel miserable :)

Yeah, but you learn what really works and you can identify issues fast. I'm not one to enable features to be honest. If you have a nice solid AP placement and can tweak the network, many features are not needed.  I have seen features break after upgrading and that is even worse:)  The more your config is basic, the less issues you will have.

-Scott 

*** Please rate helpful posts *** 

-Scott
*** Please rate helpful posts ***

Yes exactly.  And the more complicated the feature, the more complicated the test.  We've had to develop our own automated 802.11k/r/v fast-roaming tests in an anechoic chamber to provide repeatable results for our customers for each new software update.

Dennis

dB Performance Inc.

Wow, that sounds already too complicated. But thanks for your input guys.

Actually, you should be able to use 802.11w MFP with 802.11r fast-roaming when your network is configured for WPA2-Enterprise:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/Chapter-11.html#pgfId-1142861

802.11w is not supported on WPA-Enterprise, WEP, or open networks.

Dennis

dB Performance Inc.

Dennis, I am not sure how is this possible?

Both, 802.11w and 802.11r are advertised as RSN IEs and are mutually exclusive. If I enable PMF on WLAN, Fast BSS Transition options become grayed out. Only, if 802.11w is set to Optional I can still select 802.11r features. I remember when I captured frames on WLAN with Fast BSS Transition enabled and then PMF... it has separate RSN IE per feature... there's no RSN IE that will tell PMF+Fast BSS...

I will have to test it.

Hi Tymofii:

What WLAN controller and AP setup are you using?

My understanding is 802.11w adds new IEs to the RSN capabilities field (MFPR and MFPC), which is independent from 802.11r.  There seem to be a lot of restrictions on using 802.11r on Cisco hardware, so perhaps your WLAN controller supports 802.11r/802.11w, but your AP hardware does not support that combination.  This is especially true for a lot of autonomous APs.

We are using a Cisco 2504 controller with version 8.1.131.0 firmware, and 1242 APs.  Our settings in WLANs -> (WLAN ID) -> Security -> Layer 2 are:

- "Layer 2 Security" is set to WPA+WPA2

- "Fast Transition over the DS" is checked (enabled)

- "Reassociation Timeout" is set to 20 seconds

- "PMF" is set to "Required"

- "Comeback Timer" is set to one second

- "SA Query Timeout" is set to 200 mS

- "WPA2 Policy" is checked (WPA and TKIP unchecked)

- "PMF 802.1X" is checked

Dennis

dB Performance Inc.

Any update on your testing?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: