Last time we described what MFP can do, so now let’s talk about how you set it up; it only takes a few steps.
First, in the controller’s GUI, navigate to Security > Wireless Protection Policies > AP Authentication/MFP, and in the Protection Type drop down menu select Management Frame Protection. This enables MFP globally on the controller, letting you use MFP on WLANs that you designate.
Next, navigate to WLANs > wlan_id_number > Security > Layer 2 Policies. WPA2 is required in order for the WLAN to use MFP, so in the Layer 2 Security drop down menu, select WPA+WPA2. In the fields below, make sure you have enabled WPA2 policy and WPA2 encryption (TKIP or AES are both acceptable).
Then, navigate to WLANs > wlan_id_number > Advanced and check the box for Infrastructure MFP Protection. This enables access points (APs) to participate in Infrastructure MFP, causing the APs to digitally sign their management frames.
Finally, use the MFP Client Protection drop down menu to select either Disabled, Optional, or Required – according to your client’s capabilities and the level of protection you desire.
- Disabled turns off client support for MFP.
- Optional enables client devices to participate as validator devices if they are capable, but still allows clients that cannot support MFP to participate in the network.
- The Required setting makes client MFP support mandatory – devices which don’t support MFP will not be allowed to join the network.
So, now you know how I came to be worry free and in love with my WLAN.
Guest Author: Bill Daniel, GigaWave Technologies