cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3283
Views
25
Helpful
15
Replies

MFP problem

Hello.

 

I have a problem with configure MFP on WLС 2504. The firmware version 8.5.105.0

 

I set up the PMF PSK, but in the management and control frames in the RSN fields do not contain PMF records.

The screenshot shows a fragment of the bacon frame.

What can be wrong?

15 Replies 15

Hi @Alexey Kurchenko

 

 First MFP and PMF are two different features, although they have similar objectives.

Let´s assume that you are looking for PMF (802.11w). Did you enabled it on WLAN from "Optional" to "Required"?

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

 

Yes. I turned on  "Required" 

Management Frame Protection
Global Infrastructure MFP state................ Enabled
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... False

WLAN Client
WLAN ID WLAN Name         Status      Protection
------- ------------------------- --------- ----------
1 WIFI-LAB                          Enabled     Required

Interesting. This link is very clear that, by enabling this feature, you are able to see this information on beacons:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/5700/software/release/ios_xe_33/11rkw_DeploymentGuide/b_802point11rkw_deployment_guide_cisco_ios_xe_release33/b_802point11rkw_deployment_guide_cisco_ios_xe_release33_chapter_0100.htm...

 

 8.5 version is very new, I'm always a bit skeptical  when it comes to too new release. If you are able to, you can try open a TAC, maybe this is a bug. Or you can try another WLC version as well.

 

 

-If I helped you somehow, please, rate it as useful.-

Thanks Flavio.

I tried the old version too. 

(Cisco Controller) >show boot
Primary Boot Image............................... 8.5.105.0 (default) (active)
Backup Boot Image................................ 8.2.110.0

 

 I didn't ask but WPA/WPA2 is enable, right?

 

Here some relevant informations:

 

-Cisco's legacy Management Frame Protection is not related to the 802.11w standard that is implemented in the 7.4 release.
-The 802.11w standard is supported on all 802.11n capable APs except those that are configured for FlexConnect operation.
-The 802.11w standard is supported on the following Cisco Wireless LAN Controller model series: 2500, 5500, 8500, and WiSM2.
-The 802.11w standard is not supported on the following Cisco Wireless LAN Controller models: Flex 7500 and Virtual Wireless LAN Controller.
-802.11w cannot be applied on an open WLAN, WEP-encrypted WLAN, or a TKIP-encrypted WLAN.
-The WLAN on which 802.11w is configured must have either WPA2-PSK or WPA2-802.1x security configured.

 

Make sure you are in compliance with everything.

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Security

802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled

--More-- or (q)uit
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Enabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled

Can you run "debug pmf events enable" and share ?

 

 

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Done. Only "debug>11w-pmf events enable" command.

Alright. Attach logs here when you're done.

 

 

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

Hi,   Flavio.

I reset the wlc settings and re-configured it. Debug file in attach. 

 

 

This log is interesting:

"Marking Mobile as non-11w Capable"

So, looks like you are testing with a non-11w capable device. Well, this should not be the cause in my opinion. I believe AP should send the 802.11w on its beacons anyway. 

 Just make sure the packet you got is send from AP and not from Client, and if possible, try to test with a 802.11w capable device.

 

-If I helped you somehow, please, rate it as useful.-

 

 

 

Yes. I see that this works correctly. Perhaps Airmagnet (soft for packet capture) show the packets incorrectly?

That´s one good shot. You may try another sniffer to make sure.

 

As I said, although WLC reports Client as not 802.11w capable, beacons should be send with 802.11w flag enable as you enabled 802.11w on the WLC.

 

 

 

-If I helped you somehow, please, rate it as useful.-

 

Thank you, Flavio.  I'll try.

Review Cisco Networking for a $25 gift card