Client Management Frame Protection (MFP): Common Myths and Misconceptions

The Truth About Client Management Frame Protection (MFP)

Prev Question Next Question

Question

Which of the following statements are not correct about Client Management Frame Protection (MFP)? (Choose 2.)

Answers

A. Client MFP can replace Infrastructure MFP in case only CCXv5 clients are used.

B. Client MFP encrypts class 3Unicastmanagement frames using the security mechanisms defined by 802.11i.

C. In order to use Client MFP the client must support CCXv5 and negotiate WPA2 with AES-CCMP or TKIP.

D. The only supported method to obtain the pre-user MFP encryption keys is EAP authentication.

E. CCXv5 client and access points must discard broadcast class 3 management frames.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

AD.

Client Management Frame Protection (MFP) is a wireless security mechanism that helps protect client devices from attacks that involve forged or spoofed management frames. Here's a detailed explanation of the statements provided in the question:

A. Client MFP can replace Infrastructure MFP in case only CCXv5 clients are used. This statement is not correct. Client MFP and Infrastructure MFP are two separate mechanisms that serve different purposes. Client MFP protects the client device, while Infrastructure MFP protects the wireless infrastructure. Client MFP cannot replace Infrastructure MFP, even if only CCXv5 clients are used.

B. Client MFP encrypts class 3 Unicast management frames using the security mechanisms defined by 802.11i. This statement is correct. Client MFP encrypts class 3 Unicast management frames using the security mechanisms defined by 802.11i, such as AES-CCMP or TKIP.

C. In order to use Client MFP, the client must support CCXv5 and negotiate WPA2 with AES-CCMP or TKIP. This statement is correct. In order to use Client MFP, the client must support CCXv5 and negotiate WPA2 with AES-CCMP or TKIP. CCXv5 is a set of specifications defined by Cisco that provide enhanced security and performance features for wireless clients.

D. The only supported method to obtain the pre-user MFP encryption keys is EAP authentication. This statement is not correct. There are multiple methods to obtain the pre-user MFP encryption keys, such as 802.1X authentication, MAB (MAC Authentication Bypass), or Preshared Key (PSK) authentication.

E. CCXv5 client and access points must discard broadcast class 3 management frames. This statement is not correct. CCXv5 client and access points must not discard broadcast class 3 management frames. Instead, they must encrypt and authenticate these frames to prevent attacks that involve spoofed or forged broadcast frames.

In summary, the incorrect statements about Client Management Frame Protection (MFP) are:

A. Client MFP can replace Infrastructure MFP in case only CCXv5 clients are used.
D. The only supported method to obtain the pre-user MFP encryption keys is EAP authentication.

Prev Question Next Question