That seems to be still the case, according to Aruba documentation:
"MFP can only be enabled on SSIDs that support WPA2. MFP is not supported on virtual APs using tunnel forwarding mode."
Tim, is that still true? how can we prevent against "deauth broadcast" attacks without MFP if the VAP is tunnel mode?
I get the error message below on AOS 6.5.3.5:
(sdzac10-108-1.nje.twosigma.com) (SSID Profile "NAVID-TEST-SSID") #mfp-capable
Cannot enable MFP because the profile is referenced by tunnel mode virtual ap profiles