Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3018
Views
0
Helpful
5
Replies

PMF on SSID, which clients support it

patoberli
VIP Alumni
VIP Alumni

‎04-16-2020 12:53 AM - edited ‎07-05-2021 11:56 AM

Hi all

Now that most users are doing home-office, I think it's a good time to modify some wireless settings on the WLCs (running 8.5.x and 8.8.x).

One of them is PMF on the SSID. I had that so far disabled, but I think it's time to set this in a first step to Optional. 

 

Is there an easy way to see if I have clients connected not using it?

I can see it on the CLI by issuing a "show client detail macaddress", but that is not very feasible for hundreds of clients. 

show client detail 00:bb:60:37:b5:3b
.....
Protected Management Frame ...................... Yes
....

I also have Prime 3.7 at hand, if some report would show this. At least the client details don't seem to offer it. 

 

Why am I doing this you might wonder, for WPA3-Enterprise, PMF is a requirement and as far as I can see the only one. I like to discover how many, if any, legacy clients I still have around. Oh and also to increase the security of the whole wireless setup. 

 

Thanks for any hints

Patrick

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎04-16-2020 06:00 AM

I do the same thing on my home lab, it is my production at home however. What I do is make sure all the devices that are connected prior connect back up. I don’t bother looking at what the devices support. I do have a few tools like the NetAlly nXG and a WLAN pi that I play with that can look at what the client supports.
-Scott
*** Please rate helpful posts ***
0 Helpful

Rasika Nayanajith
VIP
VIP

‎04-16-2020 06:58 AM

With WPA2, MFP is optional, so not many consumer vendors implement it.

For WPA3 it is mandatory, so if a device support WPA3, MFP is required, you do not get an option to choose. The same goes for WiFi6 certification, if a client support WiF6, then it has to do MFP.

 

Therefore, if you want to check MFP support, looking for WPA3 or WiFi6 support of a device tells the story. Here is WiFi Alliance page that you can find devices that comply with those certifications. It may be a good starting point.

https://www.wi-fi.org/product-finder-results 

 

If you want to test it out, you can simply create a WPA3 Personal (WPA3-SAE) WLAN & test your client for its support

https://mrncciew.com/2019/11/29/wpa3-sae-mode/ 

 

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Rasika Nayanajith

‎04-17-2020 02:42 AM

That was quick. Already got the first client complaining he can't anymore connect to the SSID with PMF set to optional.

A Samsung Galaxy S2 running LineageOS 14.1 (based on Android 7.1.2). The original phone os was never upgraded to Android 5, so I guess there never was a driver supporting 802.11w. It seems that google added the support to Android 5.0, but the drivers need to support it too.

 

0 Helpful

JPavonM
VIP
VIP
In response to patoberli

‎04-17-2020 05:05 AM

Samsung S2 has a broadcom BCM4330 chipset inside for wireless. Looking into the specs sheet there is no support for PMF:

http://www.cypress.com/file/298676/download

 

The weird thing is why marking PMF as optional it cannot connect? It should?

 

HTH
-Jesus

*** Always Rate Helpful Responses ***

 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to JPavonM

‎04-17-2020 05:41 AM - edited ‎04-22-2020 02:22 AM

With PMF optional, the frames will still have more information in the header and I guess this was never correctly handled by the driver/kernel when it was compiled for Android 4.x. I hoped that software in 2020 will just ignore it, but not in this specific case sadly.




0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card