Wireless Access

last person joined: 15 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Protected managment frames on Instant

This thread has been viewed 1 times

  • 1.  Protected managment frames on Instant

    Posted Nov 01, 2018 06:16 AM

    Hello,

    I have enabled MFP on all SSIDs but it does not appear to be working.

     

    I'm running an Aruba Instant deployment with mixed access points

    IAP-225 and IAP-325.

    Current version is 6.4.4.8-4.2.4.8_60300

     

    We're having issues with someone else in the building doing rogue containment on one of our APs.

     

    I have set all SSIDs to mfp-capable

    But I've also tested to set it to mfp-required on one SSID.

    When sniffing the traffic we can see in the probe response from the access point MFP capabilities are set to false.

     

    Is there something else required to enable this capability?

     



  • 2.  RE: Protected managment frames on Instant

    EMPLOYEE
    Posted Nov 01, 2018 07:08 AM

    MFP requires an MFP capable client to work.  If you don't have an MFP capable client, protected frames will not be transmitted between the client and the access point.  Very few clients support MFP.



  • 3.  RE: Protected managment frames on Instant

    Posted Nov 01, 2018 08:13 AM
      |   view attached

    Thank you for your quick response.
    I have tested with a computer that according to the configuration is capable. The client in question is a dell laptop with windows 10.

    However in the capture it looks like neither the access point nor the laptop advertise this capability, see attachade picture:

    1. Probe request, Client > AP (does not contain RSN capabiliteis)

    2. Probe Response, AP > Client: contains RSN capabilites but MFP capable is "False"

    ...

    23. Association request, Client > AP: contains RSN capabilites but MFP capable is "False"

     MFP_false.png

    I am looking in to the client side as well. We have windows, apple and linux laptops.



  • 4.  RE: Protected managment frames on Instant

    EMPLOYEE
    Posted Nov 01, 2018 08:20 AM

    What version of instant is this?

    Please show us your SSID configuration.

    What is the client?

     



  • 5.  RE: Protected managment frames on Instant

    Posted Nov 01, 2018 08:36 AM

    IAP-225 and IAP-325.

    Current version is 6.4.4.8-4.2.4.8_60300

     

    here is the config, I have removed keys and addresses and names since I don't want those public.

    version 6.4.4.0-4.2.4
virtual-controller-country SE
virtual-controller-key OMITED
name OMITED
organization "OMITED
virtual-controller-ip OMITED
syslog-server OMITED
syslog-level info
terminal-access
ntp-server OMITED
clock timezone OMITED
clock summer-time OMITED recurring last sunday march 00:00 last sunday october 03:00
rf-band 5.0
dynamic-radius-proxy
ams-ip OMITED
ams-key OMITED
ams-identity OMITED

allow-new-aps
OMITED


snmp-server community OMITED
snmp-server user OMITED

arm
 wide-bands 5ghz
 min-tx-power 9
 max-tx-power 15
 band-steering-mode force-5ghz
 air-time-fairness-mode fair-access
 client-aware
 scanning
 client-match


syslog-level info ap-debug 
syslog-level info network 
syslog-level info security 
syslog-level info system 
syslog-level info user 
syslog-level warn user-debug 
syslog-level warn wireless 


deny-local-routing




mgmt-user OMITED OMITED


wlan access-rule "OMITED"
 index 0
 rule any any match any any any permit

wlan access-rule default_wired_port_profile
 index 1
 rule any any match any any any permit

wlan access-rule wired-SetMeUp
 index 2
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule "OMITED"
 index 3
 rule any any match any any any permit

wlan access-rule "OMITED"
 index 4
 rule any any match any any any permit

wlan access-rule OMITED
 utf8
 index 5
 rule any any match any any any permit

wlan access-rule OMITED
 index 6
 rule any any match any any any permit

wlan access-rule wired-instant
 index 7
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 4343 4343 permit
 rule any any match udp 67 68 permit
 rule any any match udp 53 53 permit

wlan access-rule "OMITED"
 index 8
 rule any any match any any any permit

wlan ssid-profile "OMITED"
 enable
 index 0
 type employee
 essid "OMITED"
 wpa-passphrase OMITED
 opmode wpa2-psk-aes
 max-authentication-failures 10
 vlan OMITED
 rf-band 5.0
 captive-portal disable
 dtim-period 1
 inactivity-timeout 3600
 broadcast-filter all
 g-min-tx-rate 11
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 25
 max-clients-threshold 64
 mfp-capable

wlan ssid-profile "OMITED"
 enable
 index 1
 type employee
 essid "OMITED"
 wpa-passphrase OMITED
 opmode wpa2-psk-aes
 max-authentication-failures 10
 vlan OMITED
 rf-band 5.0
 captive-portal disable
 dtim-period 1
 inactivity-timeout 3600
 broadcast-filter all
 g-min-tx-rate 11
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 25
 max-clients-threshold 64
 mfp-capable

wlan ssid-profile "OMITED"  <<<<<<<<<<< Main client SSID
 enable
 index 2
 type employee
 essid "OMITED"
 opmode wpa2-aes
 max-authentication-failures 0
 vlan OMITED
 auth-server OMITED
 auth-server OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 rf-band 5.0
 captive-portal disable
 dtim-period 1
 inactivity-timeout 3600
 broadcast-filter all
 deny-inter-user-bridging
 radius-reauth-interval 240
 g-min-tx-rate 11
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 25
 max-clients-threshold 64
 okc
 mfp-capable

wlan ssid-profile OMITED
 enable
 index 3
 type employee
 essid OMITED
 utf8
 wpa-passphrase OMITED
 opmode wpa2-psk-aes
 max-authentication-failures 10
 vlan OMITED
 rf-band all
 captive-portal disable
 hide-ssid
 dtim-period 1
 inactivity-timeout 3600
 broadcast-filter all
 g-min-tx-rate 11
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 25
 max-clients-threshold 64
 mfp-capable

wlan ssid-profile OMITED
 disable
 index 4
 type employee
 essid OMITED
 wpa-passphrase OMITED
 opmode wpa2-psk-aes
 max-authentication-failures 10
 vlan OMITED
 rf-band all
 captive-portal disable
 dtim-period 1
 inactivity-timeout 3600
 broadcast-filter all
 g-min-tx-rate 11
 blacklist
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 mfp-capable

wlan ssid-profile "OMITED - 2.4ghz"
 disable
 index 5
 type employee
 essid "OMITED - 2.4ghz"
 opmode wpa2-aes
 max-authentication-failures 0
 vlan OMITED
 auth-server OMITED
 auth-server OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 set-vlan Tunnel-Private-Group-Id equals OMITED
 rf-band 5.0
 captive-portal disable
 dtim-period 1
 inactivity-timeout 3600
 broadcast-filter all
 deny-inter-user-bridging
 radius-reauth-interval 240
 g-min-tx-rate 11
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 25
 max-clients-threshold 64
 okc
 mfp-capable

auth-survivability cache-time-out 4



wlan auth-server OMITED
 ip OMITED
 port 1812
 acctport 1813
 key OMITED

wlan auth-server OMITED
 ip OMITED
 port 1812
 acctport 1813
 key OMITED

wlan auth-server OMITED
 ip OMITED
 port 1812
 acctport 1813
 key OMITED

wlan auth-server OMITED
 ip OMITED
 port 1812
 acctport 1813
 key OMITED

wlan auth-server OMITED
 ip OMITED
 port 1812
 acctport 1813
 key OMITED

wlan auth-server OMITED
 ip OMITED
 port 1812
 acctport 1813
 key OMITED

wlan external-captive-portal
 server localhost
 port 80
 url "/"
 auth-text "Authenticated"
 auto-whitelist-disable
 https


blacklist-time 3600
auth-failure-blacklist-time 3600

ids
 wireless-containment none
 infrastructure-detection-level low
 client-detection-level low


wired-port-profile default_wired_port_profile
 switchport-mode trunk
 allowed-vlan all
 native-vlan 1
 shutdown
 access-rule-name default_wired_port_profile
 speed auto
 duplex full
 no poe
 type employee
 captive-portal disable
 no dot1x

wired-port-profile wired-SetMeUp
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-SetMeUp
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x

wired-port-profile wired-instant
 switchport-mode access
 allowed-vlan all
 native-vlan guest
 no shutdown
 access-rule-name wired-instant
 speed auto
 duplex auto
 no poe
 type guest
 captive-portal disable
 no dot1x


enet0-port-profile default_wired_port_profile

uplink
 preemption
 enforce none
 failover-internet-pkt-lost-cnt 10
 failover-internet-pkt-send-freq 30
 failover-vpn-timeout 180


airgroup
 disable

airgroupservice airplay
 disable
 description AirPlay

airgroupservice airprint
 disable
 description AirPrint


  • 6.  RE: Protected managment frames on Instant
    Best Answer

    EMPLOYEE
    Posted Nov 01, 2018 09:00 AM
      |   view attached

    I would upgrade to instant 6.5.0.0-4.3.0.0 and above:

    Screenshot 2018-11-01 at 07.59.05.png

     

    Attachment(s)

    pdf
    Aruba Instant 6.5.0.0-4.3.0.0 Release Notes.pdf   184 KB 1 version


  • 7.  RE: Protected managment frames on Instant

    Posted Nov 01, 2018 09:47 AM

    Alright, I will upgrade in the evening and see if it helps.

    Thanks.



  • 8.  RE: Protected managment frames on Instant

    Posted Nov 19, 2018 02:24 AM

    Hi,

    I upgraded to version 6.5.4.9_67129 which resolved the problem.

    I was able to capture the protected flag and the clients reported that the problems went away.

    Thanks for your support!