This feature protects stations against forged management frames spoofed from other devices that might otherwise disrupt a valid user session. MFP is negotiated between the client and AP. Because the management frames are encrypted it is required that wpa/v2 is enabled in wireless service configuration.
If the client and AP are capable of supporting MFP, RSN information elements (IE) are passed during the authentication phase, the image below shows a client M2 frame not supporting MFP:
Some wireless clients may not work with MFP enabled as the clients do not support or understand the additional information included in the MFP encryption. This is known as the Message Integrity Check ( MIC )
It is Best Practice
to test all
your allowed and known network client devices on MFP enabled WLAN's prior to going live on the network whenever possible. New deployments etc.
Frames that are protected once negotiation is completed include:
- QoS Action