Protected Management Frames Overview
Wi-Fi is a broadcast medium that enables any device to eavesdrop and participate either as a legitimate or rogue device. Management frames such as authentication, de-authentication, association, dissociation, beacons, and probes are used by wireless clients to initiate and tear down sessions for network services. Unlike data traffic, which can be encrypted to provide a level of confidentiality, these frames must be heard and understood by all clients and therefore must be transmitted as open or unencrypted. While these frames cannot be encrypted, they must be protected from forgery to protect the wireless medium from attacks. For example, an attacker could spoof management frames from an AP to attack a client associated with the AP.
The 802.11w protocol applies only to a set of robust management frames that are protected by the Protected Management Frames (PMF) service. These include Disassociation, De-authentication, and Robust Action frames.
Management frames that are considered as robust action and therefore protected are the following:
- Spectrum Management
- QoS
- DLS
- Block Ack
- Radio Measurement
- Fast BSS Transition
- SA Query
- Protected Dual of Public Action
- Vendor-specific Protected
Protected Management Frame Operation
The 802.11w standard called Protected Management Frames(PMF) that shields the client by using a Security Association teardown protection mechanism.
PMF requires the cnPilot Access Point to check with the legitimate client first by sending a Security Association (SA) Query Request frame to the legitimate client. The legitimate 802.11w client must respond with a Security Association (SA) Query Response frame within a pre-defined amount of time(milliseconds) called the SA Query Retry time. If the legitimate client responds in time, then legitimate client maintains the connection and cnPilot AP sends the rouge client a status code 30 message that states “Association request rejected temporarily; try again later”. This action will prevent the rouge client from connecting and prevent the legitimate client from being disconnected from the Access Point.
However, if the legitimate client doesn’t reply in time(milliseconds) to the Security Association(SA) Request frame, then the client session is torn down by the cnPilot AP by sending a disassociation message.
PMF only works with WPA2-PSK or 802.1x WPA2-Enterprise security.
cnPilot AP supports 3 PMF options(see below image):
- Disable – Disables 802.11w PMF protection on a WLAN.
- Optional- When security is enabled in WLAN, by default PMF will be in Optional Mode. By selecting this option, both 802.11w capable clients and 802.11w non-capable clients can connect.
- Mandatory – Only 802.11w capable clients can associate to the WLAN.
Configuration
1. PMF capability will be visible only in security mode, so select either WPA2-PSK or WPA2-Enterprise security.Goto “Configure >> WLAN >> Security” and Select either WPA2-PSK or WPA2-Enterprise.
2. Goto “Configure >> WLAN >> 802.11w State” and select Disable, Optional or Mandatory state.
The following Wireshark captures shows the RSNIE capabilities, when PMF is configured with Optional state.
The following Wireshark captures shows the RSNIE capabilities, when PMF is configured with Mandatory state.
The following Wireshark captures shows the RSNIE capabilities in Association Request frame of 802.11w wireless client.
