12-04-2017 02:33 AM - edited 07-05-2021 07:56 AM
Hello.
I have a problem with configure MFP on WLС 2504. The firmware version 8.5.105.0
I set up the PMF PSK, but in the management and control frames in the RSN fields do not contain PMF records.
The screenshot shows a fragment of the bacon frame.
What can be wrong?
12-04-2017 03:17 AM
First MFP and PMF are two different features, although they have similar objectives.
Let´s assume that you are looking for PMF (802.11w). Did you enabled it on WLAN from "Optional" to "Required"?
-If I helped you somehow, please, rate it as useful.-
12-04-2017 03:33 AM
Yes. I turned on "Required"
Management Frame Protection
Global Infrastructure MFP state................ Enabled
AP Impersonation detection..................... Disabled
Controller Time Source Valid................... False
WLAN Client
WLAN ID WLAN Name Status Protection
------- ------------------------- --------- ----------
1 WIFI-LAB Enabled Required
12-04-2017 04:00 AM
Interesting. This link is very clear that, by enabling this feature, you are able to see this information on beacons:
8.5 version is very new, I'm always a bit skeptical when it comes to too new release. If you are able to, you can try open a TAC, maybe this is a bug. Or you can try another WLC version as well.
-If I helped you somehow, please, rate it as useful.-
12-04-2017 04:13 AM
Thanks Flavio.
I tried the old version too.
(Cisco Controller) >show boot
Primary Boot Image............................... 8.5.105.0 (default) (active)
Backup Boot Image................................ 8.2.110.0
12-04-2017 04:34 AM
I didn't ask but WPA/WPA2 is enable, right?
Here some relevant informations:
-Cisco's legacy Management Frame Protection is not related to the 802.11w standard that is implemented in the 7.4 release.
-The 802.11w standard is supported on all 802.11n capable APs except those that are configured for FlexConnect operation.
-The 802.11w standard is supported on the following Cisco Wireless LAN Controller model series: 2500, 5500, 8500, and WiSM2.
-The 802.11w standard is not supported on the following Cisco Wireless LAN Controller models: Flex 7500 and Virtual Wireless LAN Controller.
-802.11w cannot be applied on an open WLAN, WEP-encrypted WLAN, or a TKIP-encrypted WLAN.
-The WLAN on which 802.11w is configured must have either WPA2-PSK or WPA2-802.1x security configured.
Make sure you are in compliance with everything.
-If I helped you somehow, please, rate it as useful.-
12-04-2017 04:43 AM
Security
802.11 Authentication:........................ Open System
FT Support.................................... Disabled
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Enabled
--More-- or (q)uit
WPA (SSN IE)............................... Disabled
WPA2 (RSN IE).............................. Enabled
TKIP Cipher............................. Disabled
AES Cipher.............................. Enabled
CCMP256 Cipher.......................... Disabled
GCMP128 Cipher.......................... Disabled
GCMP256 Cipher.......................... Disabled
OSEN IE.................................... Disabled
Auth Key Management
802.1x.................................. Disabled
PSK..................................... Disabled
CCKM.................................... Disabled
FT-1X(802.11r).......................... Disabled
FT-PSK(802.11r)......................... Disabled
PMF-1X(802.11w)......................... Disabled
PMF-PSK(802.11w)........................ Enabled
OSEN-1X................................. Disabled
SUITEB-1X............................... Disabled
SUITEB192-1X............................ Disabled
FT Reassociation Timeout................... 20
FT Over-The-DS mode........................ Enabled
GTK Randomization.......................... Disabled
SKC Cache Support.......................... Disabled
12-04-2017 04:50 AM
Can you run "debug pmf events enable" and share ?
-If I helped you somehow, please, rate it as useful.-
12-04-2017 05:13 AM
Done. Only "debug>11w-pmf events enable" command.
12-04-2017 05:23 AM
Alright. Attach logs here when you're done.
-If I helped you somehow, please, rate it as useful.-
12-05-2017 05:00 AM
12-05-2017 05:11 AM
This log is interesting:
"Marking Mobile as non-11w Capable"
So, looks like you are testing with a non-11w capable device. Well, this should not be the cause in my opinion. I believe AP should send the 802.11w on its beacons anyway.
Just make sure the packet you got is send from AP and not from Client, and if possible, try to test with a 802.11w capable device.
-If I helped you somehow, please, rate it as useful.-
12-05-2017 05:18 AM - edited 12-05-2017 05:19 AM
Yes. I see that this works correctly. Perhaps Airmagnet (soft for packet capture) show the packets incorrectly?
12-05-2017 05:21 AM
That´s one good shot. You may try another sniffer to make sure.
As I said, although WLC reports Client as not 802.11w capable, beacons should be send with 802.11w flag enable as you enabled 802.11w on the WLC.
-If I helped you somehow, please, rate it as useful.-
12-05-2017 05:24 AM
Thank you, Flavio. I'll try.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide