Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1003
Views
5
Helpful
1
Replies

MFP Configuration

mironduplessis
Level 1
Level 1

‎06-06-2006 07:45 AM - edited ‎07-04-2021 12:14 PM

Hi,

Since Upgrading to 12.3(8)JA and JA2 we are getting the following message from the WLSE.

Change: Unable to verify MFP configuration

ChangeSeverity: P2

StateChange: MFPConfiguration is MFPConfigMismatch

AlarmState: Active

OverallSeverity: P2

DeviceType: IOSAccessPoint

Followed by:

MO: Device

Change: Actual and Requested MFP Configurations match

ChangeSeverity: OK

StateChange: MFPConfiguration is OK

AlarmState: Cleared

OverallSeverity: OK

DeviceType: IOSAccessPoint

Does anyone know what this refers to?

Regards

Miron

Labels:
0 Helpful
1 Reply 1

Rob Huffman
Hall of Fame
Hall of Fame

‎06-08-2006 05:50 AM

Hi Miron,

Have you seen these docs? They show how to enable/disable MFP along with error descriptions etc;

Enhanced IDS with Management Frame Protection

Management Frame Protection (MFP), which authenticates management frames between Access Points, eliminates several WLAN attacks that arise due to spoofing of authorized devices. CiscoWorks WLSE enables MFP in the network and provides visibility into network events associated with MSP detection/protection.

Understanding Management Frame Protection

Although the data frames passing through an 802.11 network are considered to have excellent authentication and privacy through the protocol enhancements of 802.11i, control and management frames are still extremely vulnerable in a strictly 802.11-standard network. Because control and management frames are unauthenticated, any rogue device can, for example, mimic an access point and tell 802.11 client devices that they are no longer associated to that AP.

Management Frame Protection (MFP) inserts secure authentication information into 802.11 management frames to prevent this type of attack. This feature allows network infrastructure devices (APs and their related servers) to be MFP generators and detectors, essentially cross-checking each other during network operations. The primary network-level management takes place at the Wireless Domain Server (WDS) level, and the managed APs provide both generation and detection capabilities. The WLSE functions as a reporting mechanism by logging alerts, sending email to administrators, and so on.

When MFP is enabled for a network, each MFP-capable detector AP queries the WDS when it first observes a management frame from a given generator AP. The WDS tells the detector whether the generator should be producing MFP frames, and, if so, what its AAA keys should be. If the WDS's expectation of the MFP state of the generator AP is violated, the detector AP sends the WDS an MFP report. As all generator APs' AAA keys are rotated, the WDS informs all detector APs ahead of time to avoid false alarms.

Detecting Management Frame Protection Faults

http://www.cisco.com/en/US/products/sw/cscowork/ps3915/products_user_guide_chapter09186a0080528072.html#wp1140019

Fault Descriptions

http://www.cisco.com/en/US/products/sw/cscowork/ps3915/prod_troubleshooting_guide_chapter09186a00805287a8.html

Hope this helps!

Rob

Please remember to rate helpful posts.....

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card