04-16-2020 12:53 AM - edited 07-05-2021 11:56 AM
Hi all
Now that most users are doing home-office, I think it's a good time to modify some wireless settings on the WLCs (running 8.5.x and 8.8.x).
One of them is PMF on the SSID. I had that so far disabled, but I think it's time to set this in a first step to Optional.
Is there an easy way to see if I have clients connected not using it?
I can see it on the CLI by issuing a "show client detail macaddress", but that is not very feasible for hundreds of clients.
show client detail 00:bb:60:37:b5:3b ..... Protected Management Frame ...................... Yes ....
I also have Prime 3.7 at hand, if some report would show this. At least the client details don't seem to offer it.
Why am I doing this you might wonder, for WPA3-Enterprise, PMF is a requirement and as far as I can see the only one. I like to discover how many, if any, legacy clients I still have around. Oh and also to increase the security of the whole wireless setup.
Thanks for any hints
Patrick
04-16-2020 06:00 AM
04-16-2020 06:58 AM
With WPA2, MFP is optional, so not many consumer vendors implement it.
For WPA3 it is mandatory, so if a device support WPA3, MFP is required, you do not get an option to choose. The same goes for WiFi6 certification, if a client support WiF6, then it has to do MFP.
Therefore, if you want to check MFP support, looking for WPA3 or WiFi6 support of a device tells the story. Here is WiFi Alliance page that you can find devices that comply with those certifications. It may be a good starting point.
https://www.wi-fi.org/product-finder-results
If you want to test it out, you can simply create a WPA3 Personal (WPA3-SAE) WLAN & test your client for its support
https://mrncciew.com/2019/11/29/wpa3-sae-mode/
HTH
Rasika
*** Pls rate all useful responses ***
04-17-2020 02:42 AM
That was quick. Already got the first client complaining he can't anymore connect to the SSID with PMF set to optional.
A Samsung Galaxy S2 running LineageOS 14.1 (based on Android 7.1.2). The original phone os was never upgraded to Android 5, so I guess there never was a driver supporting 802.11w. It seems that google added the support to Android 5.0, but the drivers need to support it too.
04-17-2020 05:05 AM
Samsung S2 has a broadcom BCM4330 chipset inside for wireless. Looking into the specs sheet there is no support for PMF:
http://www.cypress.com/file/298676/download
The weird thing is why marking PMF as optional it cannot connect? It should?
HTH
-Jesus
*** Always Rate Helpful Responses ***
04-17-2020 05:41 AM - edited 04-22-2020 02:22 AM
With PMF optional, the frames will still have more information in the header and I guess this was never correctly handled by the driver/kernel when it was compiled for Android 4.x. I hoped that software in 2020 will just ignore it, but not in this specific case sadly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide