Management frame protection can be used to identify adversaries that are invoking denial of service attacks, flooding the network with associations and probes, interjecting as rogue access points, or affecting the network performance by attacking the QoS and radio measurement frames.
Transmit MFP Frames
When enabled, the access point protects the management frames it transmits by adding a message integrity check information element (MIC IE) to each frame. Any attempt to copy, alter, or replay the frame invalidates the MIC, causing any receiving access point configured to detect MFP frames to report the discrepancy. An access point must be a member of a WDS to transmit MFP frames. If it is not, a warning message is displayed on this page.
Detect MFP Frames
When MFP detection is enabled, the access point validates every management frame that it receives from other access points in the network. It ensures that the MIC IE is present (when the originator is configured to transmit MFP frames) and matches the content of the management frame. If it receives any frame that does not contain a valid MIC IE from a BSSID belonging to an access point that is configured to transmit MFP frames, it reports the discrepancy to the network management system (WLSE). The access point must be a member of a WDS to detect MFP frames. If it is not, a warning message displays on this page.
Distribute Keys
At least one WDS in the network must be configured to distribute signature keys to the MFP generators (protectors) and MFP detectors (validators) in the network. These are required by the generators to create MIC IEs and by the detectors to validate MIC IEs. A device that is configured to distribute keys also creates error reports from data received from the detecting access points and forwards them to the WLSE.
This check box is not present if the access point cannot be a WDS.
|