Wireless Access

Hi.

is aruba supporting 802.11w MFP (management frame protection) standard to prevent man in the middle attacks ?

cheers

Oliver

from what i heard it isn't support yet.

the question is also how useful it will be as client support is pretty limited, windows 8 seems the first serious supported platform. and when it is support there are issues, see for example:

http://etherealmind.com/bookmarks-4th-september-2012/

I know the interop issues mentioned in the link was fixed, qeustion still is does Aruba support MFP?
Just a tick in the box for a RFI

Is there any client support for 802.11w?

Windows 8 is the first Microsoft platform to support 802.11w MFP natively in the OS
The other vendor in the link above fixed their code in 7.3 and 7.4 to work with Win 8 MFP

I want to say that "support" and interoperability are two different things.  Backwards compatibility is essential for any standard.

There are quite a few older clients that expect "all of the bits" to be in place when they associate.  If they are not, they just simply refuse to associate, and that will slow adoption of many useful new standards to a crawl:  https://supportforums.cisco.com/thread/2225361

What will be the next client that refuses to work?  Nobody knows...  https://supportforums.cisco.com/docs/DOC-27213

But as a RFI tick in the box does Aruba have the 802.11w MFP feature?

Not at this time, no.

Hello airheads!

Any news about supporting 802.11w ?

In Aruba User Guide 6.3 is not info about it.

Thanks.

Jaroslav

It is available in AOS 6.4

From page 404 of the AOS 6.4 user guide:

Management Frame Protection

ArubaOS supports the IEEE 802.11w standard, also known as Management Frame Protection (MFP). MFP makes it
difficult for an attacker to deny service by spoofing Deauth and Disassoc management frames. MFP uses 802.11i
(Robust Security Network) framework that establishes encryption keys between the client and AP.
MFP is configured on a virtual AP (VAP) as part of the wlan ssid-profile. There are two parameters that can be
configured, mfp-capable and mfp-required. Both are disabled by default.

MFP can only be enabled on SSIDs that support WPA2. MFP is not supported on virtual APs using tunnel forwarding
mode.

Many thanks!

That seems to be still the case, according to Aruba documentation:

"MFP can only be enabled on SSIDs that support WPA2. MFP is not supported on virtual APs using tunnel forwarding mode."

Tim, is that still true? how can we prevent against "deauth broadcast" attacks without MFP if the VAP is tunnel mode? 

I get the error message below on AOS 6.5.3.5:

(sdzac10-108-1.nje.twosigma.com) (SSID Profile "NAVID-TEST-SSID") #mfp-capable
Cannot enable MFP because the profile is referenced by tunnel mode virtual ap profiles

802.11w is supported on any other forwarding mode besides tunnel.  Decrypt tunnel is supported (which requires cpsec).  What is  greatly missing is client support for 802.11w:  https://clients.mikealbano.com/

WPA3 should come with management frame protection as part of the standard, so that probably would be a better route for an actual deployment when mainstream clients are available.