The Answer – A-Mandatory

B-association-comeback and

D-saquery-retry-time

CLI 802.11w PMF configuration:

 802.11w - Protected Management Frame

Purpose of 802.11w – PMF – Protected Management Frame

Wi-Fi is a broadcast medium that enables any device to act either as a legitimate or rogue device.

Management frames such as authentication, de-authentication, association, dis-association, beacons,

and probes are used by wireless clients to initiate and tear down sessions for network services.

Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be
heard and understood by all clients and therefore must be transmitted as open or unencrypted. While
these frames cannot be encrypted, they must be protected to protect the wireless medium from
attacks. For example, an attacker could spoof management frames from an AP to attack a client
associated with the AP causing:

 Denial of Service on the WLAN

 Attempt a Man in the Middle attack on the client when it reconnects etc.,

MFP - Management Frame Protection is negotiated between the client and AP.

Both the AP and client are required to support MFP or PMF to provide reliable wireless connection.

All you need to do on the wireless controller is configure the WLAN to use PMF. PMF only works with
WPAv2 PSK (PMF PSK) or 802.1x WPAv2 (PMF 802.1X) security.
802.11w also introduced an association spoofing protection mechanism. It was to prevent replay attacks
from tearing down an existing client association. It consists of two mechanisms –

1) Association comeback time

2) SA-Query Procedure

1. Association comeback time

When an Access Point (AP) receives an association request from a Client which has an existing
association table entry in the AP Association table, the Access point rejects the association with the
reason “association rejected temporarily”. It also incorporates an association comeback time in the
association rejection frame. It is shown pictorially below.

FIG COURTESY: 802.11w Protected Management Frames – Cisco

The Time-out interval is in milliseconds and in the above example – a timeout interval of 10 seconds is
placed. After Sending an association rejection message – the Access Point will send an SA Query to the
802.11 Client. If the SA Query is successfully negotiated, then it allows the Client to connect to the
Access Point by sending another association frame to the Access Point.

2. SA Query Procedure

The Security association procedure is a mechanism that is introduced the 802.11w amendment of the
802.11 standard for preventing replay attacks from tearing down an existing session.

The frames that are used in the SA Query procedure are the SA Action frames and are shown below:
Fig Courtesy: 802.11 Standard

The category field is set to SA Query (decimal 8)

The SA Query Action field takes the following values

 0 – SA Query request
 1 – SA Query response

The transaction identifier is a 16-bit non-negative value which is maintained the same across the SA
query request and response