cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1516
Views
1
Helpful
4
Replies

wlc-9800 disable Protective Management Frames for Honeywell CT40

dmooreami
Level 3
Level 3

I have some Honeywell ct40s that have android that needs protective management frame off.

above article says to disable PMF enable WPA3 (already did Wpa3 didn't fix)

My wlc-9800 has the PMF as:

==Cli===
PMF Support                                : Optional
        PMF Association Comeback Timeout (secs): 1
        PMF SA Query Time (msecs)              : 200
=====

Optional and off are not the same thing, correct? PMF is still ON correct? 

==wlan config===

wlan NOPMF_HH 23 NOPMF_HH
no assisted-roaming neighbor-list
no bss-transition
no bssmaxidle
ccx aironet-iesupport
channel-scan defer-priority 4
no device-analytics
no dms
no dot11ax downlink-mumimo
no dot11ax downlink-ofdma
no dot11ax target-waketime
no dot11ax uplink-mumimo
no dot11ax uplink-ofdma
radio dot11a
security wpa wpa3
security dot1x authentication-list NOPMF_SSIDs
security pmf optional
no shutdown

this article 

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Gibraltar 16.10.x - 802.11w [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

mentions you need to enable WPA and AKM must be configured before removing  PMF?

This is a live production SSID. are these WPA & AKM changes disruptive to add, or do they take effect after PMF is removed?

Thanks 

 

 

 

4 Replies 4

Rasika Nayanajith
VIP Alumni
VIP Alumni

Optional and off are not the same thing, correct? PMF is still ON correct? 

Yes, Optional mean you leave it on, but not enforcing client STA to support it.

With WPA3+WPA2 you have to leave it optional as you cannot turn it off.

In this SSID, if you do not require WPA3, then security can be changed to WPA+WPA2 (security wpa wpa2) & test it out.

Any changes to WLAN setting is disruptive and your WLAN client will momentarily disconnect & reconnect when you apply changes.

HTH
Rasika
*** Pls rate all useful responses ***

So you can't enable WPA3 and turn off PMF. 

Honeywell article offers two solutions. 1) enable WPA3, 2)Turn off PMF.  

Seems to me its either 1 & 2 but not both. 

Enabling Wpa3 worked "for a while" but now having issues.  guess it's time to disable Wpa3 and "disable PMF". 

WPA3 isn't required but was a "fix" suggested by honeywell. 

 

 

"So you can't enable WPA3 and turn off PMF."

Correct, with WPA3, you have to enable PMF (can leave "Optional" in WPA3 + WAP2 transition SSIDs, which mean it is still ON and negotiated)
If WPA3 is not a requirement, then I would suggest change security to WPA+WPA2 and leave PMF disabled for this SSID

HTH
Rasika
*** Pls rate all useful responses ***

JPavonM
VIP
VIP

No you can't, check this whitepaper https://www.wi-fi.org/system/files/WPA3%20Specification%20v3.1.pdf and the official announce here https://www.wi-fi.org/discover-wi-fi/security

WPA3-Enterprise builds upon the foundation of WPA2-Enterprise with the additional requirement of using Protected Management Frames on all WPA3 connections.

 

Review Cisco Networking for a $25 gift card