08-22-2016 12:49 AM - edited 07-05-2021 05:41 AM
Hello WiFi Gurus,
It is about Cisco's version Infrastructure Management Frame Protection ( Infrastructure MFP) but not about 802.11W which is Protected Management Frame (PMF).
In Cisco's document for code 8.0, it goes as
Infrastructure MFP is disabled by default and can be enabled globally. Once infrastructure MFP is enabled globally, signature generation (adding MICs to outbound frames) can be disabled for selected WLANs, and validation can be disabled for selected access points.
However, I could not find the configuration parameters that can be used to disable signature generation for selected WLANs.
Does anyone know where in WLC configuration we can disable Infrastructure MFP for selected WLANs?
Does anyone know where in AP configuration we can disable validation of Infrastructure MFP?
It doesn't seem that 802.11W is ripe enough for deploy in my environment so that it is required to use Management Frame Protection instead.
Thanks
Kind Regards
---------------------------Updated this post on the 31/Aug/2016 with info from Cisco TAC----------------
I opened a case with Cisco and has been working with an engineer to find that Cisco has removed below two features due to known bugs
In addition, 8.0 configuration guide has wrong information on it. The TAC engineer advised that he will contact documentation team to correct the error in the 8.0 configuration guide.
Just wanted to share it for other benefits.
08-22-2016 12:16 PM
I do not think there is option to configure infrastructure MFP per WLAN. I can see only a global config option
Enable or disable infrastructure MFP globally for the controller by entering this command:
config wps mfp infrastructure {enable | disable}
HTH
Rasika
08-23-2016 08:11 AM
Hello Rasika,
Thanks for your reply.
I could not find option that allow to set Infrastructure MFP per WLAN in code 8.0 either. But, as the CIsco 8.0 configuration guide says that Infrastructure MFP could be disabled for select WLANs once it is enabled globally. So, I am not very sure if it is a typo in the configuration guide or it is a hidden feature. If it is a hidden feature, I want to know where how I can access it so that I can disable it for a few WLANs in my environment while infrastructure MFP is globally enabled.
Thanks
Kind Regards
08-22-2016 06:51 PM
You can also enable/disable infrastructure MFP protection and client MFP on each WLAN configured on the WLC. Both are enabled by default though infrastructure MFP protection, which is only active if globally enabled, and client MFP is only active if the WLAN is configured with WPA2 security. Follow these steps in order to enable MFP on a WLAN::
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/82196-mfp.html#wlan
08-23-2016 08:02 AM
Thanks Mohanak,
I had read the Cisco document at the link in your post. Have you checked it in WLC code 8.0?
Even in 8.0 configuration guide, it says that it is possible to enable/disable Infrastructure MFP for selected WLAN. But, I could not find any settings that allows me to do so. I checked advanced setting tab in WLAN setting. But no luck. It appears that Infrastructure MFP is global configuration and it is not possible to disable it for select WLANS any more.
If you can find any settings in code 8.0 that allows to disable it for select WLANs , please share it with me.
Thanks
Kind Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide